LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-12-2013, 06:03 PM   #1
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Rep: Reputation: Disabled
Arrow Afraid of system being compromised - is true? how to solve? Newbie


Hello,

PART 1:

There are two computers. Computer A uses openSuse and it is usually used for common tasks (not risk at all), suddenly, one day some "markers" from Mozilla Firefox were modified but not by the legitimate users. The firewall rules were for the Eth0 (unique interface) in External zone, and the router is connected directly to the DSL line (no other computers in LAN).

I extract also here the iptables -L rules.
Code:
userA@computerA:~> sudo /usr/sbin/iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
input_ext  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain forward_ext (0 references)
target     prot opt source               destination         

Chain input_ext (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench                                                                   
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request                                                                    
DROP       all  --  anywhere             anywhere             PKTTYPE = multicast                                                                  
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast                                                                  
LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcpflags: FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "                                                                                                         
LOG        icmp --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "                                                                                                                                       
LOG        udp  --  anywhere             anywhere             limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "                                                                                                                           
DROP       all  --  anywhere             anywhere                                                                                                  
                                                                                                                                                   
Chain reject_func (0 references)                                                                                                                   
target     prot opt source               destination                                                                                               
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
The modification in the markers of Firefox is not possible to be done by us, is not so easy to do it by error, because the markers where modified specifically in a tree of folders, deleting two URL markers and adding other two.
I know by the language and the context of the new URL that the "intruder" is from my nationality.

The problem is that the legitimate users of the computer just delete both fake URL and add the original ones. After that, they just continue using normally the computer. That day, none of that URL webpages where under attack (like DNS or sth like that and that maybe the auto-refresh, i don't know if it exists, of Firefox just updated both of them in the moment of the attack of the webpages). Also, they didn't say anything about a possible attack. And because is in the markers of Firefox (something that is locally located) I thought was a direct and specified attack to the computer A and its users.

Question A: Was my supposition correct? Or there is still any possibility to be a general attack? I dismiss any possibility of popular worm/virus because the modification of the markers were really specific and on national context.

Question B: What is the best procedure to analyze the source of the attack and how to protect against it? How to know what things have been modified? I think it is weird that the intruder shows himself modified something in the system (like markers in Firefox), so, he/she wants to be known, like a threat.

I have installed and started the Clamav antivirus. I can show so far that there are:
Code:
Windows and Data NTFS partitions (Windows not really used, Data used from Linux): 
      - hundreds of Heuristics.Encrypted.ZIP (or PDF, RAR), Heuristics.Broken.Executable   
      - file .htm with Exploit.HTML.MHTRedir.4n
      - file .pdf with Exploit.PDF-1745
      - file .rar with Trojan.W32.HotKeysHook.A
      - 5 files .js with Worm.JS.Redlof.A

Linux (normally used):
      - /boot/vmlinux-3.1.10-1.16-desktop.gz                                              Heuristics.Broken.Executable
      - /home/userA/Applications/jDownloaders/JDownlaoder/libs/jna.jar     Heuristics.Broken.Executable
      - /home/userA/.jd/libs/jna.jar                                                               Heuristics.Broken.Executable
      - /home/userA/.thunderbird/ct5dfrhd.default/training.dat                   Heuristics.Broken.Executable
      - /lib/firmware/vxge/X3fw.ncf                                                                Heuristics.Encrypted.Zip
      - /lib/firmware/vxge/X3fw-pxe.ncf                                                         Heuristics.Encrypted.Zip
In the time the detection was notified, Windows wasn't used in the days before. Therefore, Linux was the O.S. in the time of the intrusion.
 
Old 03-12-2013, 06:04 PM   #2
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
PART 2:

Now I have access to the main computerA, were the "intrusion" was done 2 weeks and half ago, but I really don't know what to do and how to proceed. At least I have installed clamav and I have shown the results above.

The problem is that I come with the computerB with ArchLinux, and I needed internet to start checking how to perform with all this. The problem is that after activate eth0 and send dhcp client to get the IP, I get the connection and just after that I saw a really weird behaviour. Suddenly, the computer got a little freeze, well, not really freeze, but slow for some moments, and when I check in terminal what happend, my prompt was modified.
Before was:
ussr@localhost
now:
ussr@unknown002454062846

That put my alarms on, so I quickly disconnect ethernet. Because I don't know how to proceed, and really scared of the situation, I just post the below "captures".

iptables of computerB ( I followed the Arch Linux Simple Stateful Firewall.... I think I got it correctly )
Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request ctstate NEW
UDP        udp  --  anywhere             anywhere             ctstate NEW
TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
           icmp --  anywhere             anywhere             icmp echo-request recent: SET name: ping_limiter side: source mask: 255.255.255.255
DROP       icmp --  anywhere             anywhere             icmp echo-request recent: UPDATE seconds: 4 hit_count: 6 name: ping_limiter side: source mask: 255.255.255.255
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
REJECT     tcp  --  anywhere             anywhere             recent: SET name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             recent: SET name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain TCP (1 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             recent: UPDATE seconds: 60 name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain UDP (1 references)
target     prot opt source               destination         
REJECT     udp  --  anywhere             anywhere             recent: UPDATE seconds: 60 name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

sudo cat /var/log/everything.log [more info maybe]
Code:
Mar 12 21:46:46 localhost dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 21:46:46 localhost dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 21:46:46 localhost dbus-daemon[340]: dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 21:46:55 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:46:55 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:46:55 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:46:55 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:46:55 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:43 localhost kernel: [  282.346749] usb 4-1: USB disconnect, device number 2
Mar 12 21:50:44 localhost kernel: [  283.346743] usb 1-1: USB disconnect, device number 2
Mar 12 21:50:46 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:50:46 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:50:46 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:50:46 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:46 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:46 localhost kernel: [  284.773394] Monitor-Mwait will be used to enter C-3 state
Mar 12 21:50:46 localhost kernel: [  285.600790] EXT4-fs (sda5): re-mounted. Opts: data=ordered,commit=600
Mar 12 21:51:46 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:51:46 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:51:46 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:51:46 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:51:46 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:52:03 localhost kernel: [  361.720026] usb 4-1: new low-speed USB device number 3 using uhci_hcd
Mar 12 21:52:03 localhost kernel: [  362.021197] input:   USB Keyboard as /devices/pci0000:00/0000:00:1d.0/usb4/4-1/4-1:1.0/input/input15
Mar 12 21:52:03 localhost kernel: [  362.021535] hid-generic 0003:05AF:0802.0004: input,hidraw0: USB HID v1.10 Keyboard [  USB Keyboard] on usb-0000:00:1d.0-1/input0
Mar 12 21:52:03 localhost kernel: [  362.113907] input:   USB Keyboard as /devices/pci0000:00/0000:00:1d.0/usb4/4-1/4-1:1.1/input/input16
Mar 12 21:52:03 localhost kernel: [  362.114113] hid-generic 0003:05AF:0802.0005: input,hidraw1: USB HID v1.10 Device [  USB Keyboard] on usb-0000:00:1d.0-1/input1
Mar 12 21:52:03 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:52:03 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:52:04 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:52:04 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:52:04 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:53:36 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:53:36 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:53:36 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost kernel: [  455.631890] EXT4-fs (sda5): re-mounted. Opts: data=ordered,commit=0
Mar 12 21:54:15 localhost kernel: [  494.630014] usb 1-1: new low-speed USB device number 3 using uhci_hcd
Mar 12 21:54:16 localhost kernel: [  494.819169] input: Logitech USB Optical Mouse as /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1:1.0/input/input17
Mar 12 21:54:16 localhost kernel: [  494.819483] hid-generic 0003:046D:C05B.0006: input,hidraw2: USB HID v1.11 Mouse [Logitech USB Optical Mouse] on usb-0000:00:1a.0-1/input0
Mar 12 21:56:16 localhost kernel: [  615.359568] sky2 0000:06:00.0 eth0: enabling interface
Mar 12 21:56:16 localhost kernel: [  615.359925] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
Mar 12 21:56:18 localhost kernel: [  617.200722] sky2 0000:06:00.0 eth0: Link is up at 100 Mbps, full duplex, flow control rx
Mar 12 21:56:18 localhost kernel: [  617.200761] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Mar 12 21:57:01 localhost kernel: [  659.837395] sky2 0000:06:00.0 eth0: Link is down
Mar 12 21:57:03 localhost kernel: [  662.485483] sky2 0000:06:00.0 eth0: Link is up at 100 Mbps, full duplex, flow control rx
Mar 12 21:58:03 localhost dhcpcd[1072]: version 5.6.4 starting
Mar 12 21:58:03 localhost kernel: [  722.424132] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
Mar 12 21:58:03 localhost dhcpcd[1072]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:03 localhost dhcpcd[1072]: eth0: broadcasting for a lease
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: waiting for carrier
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: carrier acquired
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: carrier lost
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: waiting for carrier
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: offered 192.168.1.35 from 192.168.1.1
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: acknowledged 192.168.1.35 from 192.168.1.1
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: checking for 192.168.1.35
Mar 12 21:58:07 localhost dhcpcd[1072]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:10 localhost dhcpcd[1072]: eth0: leased 192.168.1.35 for 43200 seconds
Mar 12 21:58:10 localhost dhcpcd[1072]: forked to background, child pid 1119
Mar 12 21:58:11 localhost dhcpcd[1119]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:15 localhost dhcpcd[1119]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:15 localhost dhcpcd[1119]: eth0: no IPv6 Routers available
Mar 12 21:59:33 localhost kernel: [  812.425190] konsole[1156]: segfault at 84 ip b73128d4 sp bf9e00c0 error 4 in libkdeui.so.5.10.0[b6fcb000+42b000]
Mar 12 21:59:33 localhost systemd-coredump[1158]: Process 1156 (konsole) dumped core.
Mar 12 21:59:47 localhost kernel: [  826.338582] konsole[1164]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d7000+42b000]
Mar 12 21:59:48 localhost systemd-coredump[1165]: Process 1164 (konsole) dumped core.
Mar 12 22:00:32 localhost kernel: [  870.727165] konsole[1174]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d7000+42b000]
Mar 12 22:00:32 localhost systemd-coredump[1175]: Process 1174 (konsole) dumped core.
Mar 12 22:01:01 localhost systemd[1]: Starting Cleanup of Temporary Directories...
Mar 12 22:01:01 localhost CROND[1186]: (root) CMD (run-parts /etc/cron.hourly)
Mar 12 22:01:01 localhost anacron[1192]: Anacron started on 2013-03-12
Mar 12 22:01:01 localhost anacron[1192]: Normal exit (0 jobs run)
Mar 12 22:01:01 localhost systemd[1]: Started Cleanup of Temporary Directories.
Mar 12 22:01:04 localhost kernel: [  902.743018] konsole[1196]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d7000+42b000]
Mar 12 22:01:04 localhost systemd-coredump[1197]: Process 1196 (konsole) dumped core.
Mar 12 22:01:21 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 22:01:21 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 22:01:21 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 22:01:22 localhost dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 22:01:22 localhost dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 22:01:46 localhost dhcpcd[1119]: eth0: carrier lost
Mar 12 22:01:46 localhost kernel: [  945.353892] sky2 0000:06:00.0 eth0: Link is down
ps aux
Code:
[ussr@unknown002454062846 ~]$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND                                                                                                
root         1  0.0  0.0   5040  2772 ?        Ss   21:46   0:00 /bin/systemd                                                                                           
root         2  0.0  0.0      0     0 ?        S    21:46   0:00 [kthreadd]                                                                                             
root         3  0.0  0.0      0     0 ?        S    21:46   0:01 [ksoftirqd/0]                                                                                          
root         5  0.0  0.0      0     0 ?        S<   21:46   0:00 [kworker/0:0H]                                                                                         
root         7  0.0  0.0      0     0 ?        S<   21:46   0:00 [kworker/u:0H]                                                                                         
root         8  0.0  0.0      0     0 ?        S    21:46   0:00 [migration/0]                                                                                          
root         9  0.0  0.0      0     0 ?        S    21:46   0:01 [rcu_preempt]                                                                                          
root        10  0.0  0.0      0     0 ?        S    21:46   0:00 [rcu_bh]                                                                                               
root        11  0.0  0.0      0     0 ?        S    21:46   0:00 [rcu_sched]                                                                                            
root        12  0.0  0.0      0     0 ?        S    21:46   0:00 [watchdog/0]                                                                                           
root        13  0.0  0.0      0     0 ?        S    21:46   0:00 [watchdog/1]                                                                                           
root        14  0.0  0.0      0     0 ?        S    21:46   0:01 [ksoftirqd/1]                                                                                          
root        15  0.0  0.0      0     0 ?        S    21:46   0:00 [migration/1]                                                                                          
root        17  0.0  0.0      0     0 ?        S<   21:46   0:00 [kworker/1:0H]                                                                                         
root        18  0.0  0.0      0     0 ?        S<   21:46   0:00 [cpuset]                                                                                               
root        19  0.0  0.0      0     0 ?        S<   21:46   0:00 [khelper]                                                                                              
root        20  0.0  0.0      0     0 ?        S    21:46   0:00 [kdevtmpfs]
root        21  0.0  0.0      0     0 ?        S<   21:46   0:00 [netns]
root        22  0.0  0.0      0     0 ?        S    21:46   0:00 [bdi-default]
root        23  0.0  0.0      0     0 ?        S<   21:46   0:00 [kblockd]
root        26  0.0  0.0      0     0 ?        S    21:46   0:00 [khungtaskd]
root        27  0.0  0.0      0     0 ?        S    21:46   0:00 [kswapd0]
root        28  0.0  0.0      0     0 ?        SN   21:46   0:00 [ksmd]
root        29  0.0  0.0      0     0 ?        SN   21:46   0:00 [khugepaged]
root        30  0.0  0.0      0     0 ?        S    21:46   0:00 [fsnotify_mark]
root        31  0.0  0.0      0     0 ?        S<   21:46   0:00 [crypto]
root        35  0.0  0.0      0     0 ?        S<   21:46   0:00 [kthrotld]
root        37  0.0  0.0      0     0 ?        S<   21:46   0:00 [deferwq]
root        82  0.0  0.0      0     0 ?        S    21:46   0:00 [khubd]
root        83  0.0  0.0      0     0 ?        S<   21:46   0:00 [ata_sff]
root        84  0.0  0.0      0     0 ?        S    21:46   0:00 [scsi_eh_0]
root        85  0.0  0.0      0     0 ?        S    21:46   0:00 [scsi_eh_1]
root        86  0.0  0.0      0     0 ?        S    21:46   0:00 [scsi_eh_2]
root        87  0.0  0.0      0     0 ?        S    21:46   0:00 [scsi_eh_3]
root        88  0.0  0.0      0     0 ?        S    21:46   0:00 [scsi_eh_4]
root        89  0.0  0.0      0     0 ?        S    21:46   0:00 [scsi_eh_5]
root        92  0.0  0.0      0     0 ?        S    21:46   0:00 [kworker/u:4]
root        97  0.0  0.0      0     0 ?        S<   21:46   0:00 [kworker/1:1H]
root        98  0.0  0.0      0     0 ?        S<   21:46   0:00 [kworker/0:1H]
root       106  0.0  0.0      0     0 ?        S    21:46   0:00 [jbd2/sda5-8]
root       107  0.0  0.0      0     0 ?        S<   21:46   0:00 [ext4-dio-unwrit]
root       124  0.0  0.0  11032  1904 ?        Ss   21:46   0:00 /usr/lib/systemd/systemd-udevd
root       134  0.9  0.8 118768 26528 ?        Ss   21:46   1:04 /usr/lib/systemd/systemd-journald
root       145  0.0  0.0      0     0 ?        S<   21:46   0:00 [iprt]
root       229  0.0  0.0      0     0 ?        S<   21:46   0:00 [led_workqueue]
root       230  0.0  0.0      0     0 ?        S<   21:46   0:00 [kpsmoused]
root       240  0.0  0.0      0     0 ?        S<   21:46   0:00 [cfg80211]
root       242  0.0  0.0      0     0 ?        S<   21:46   0:00 [ttm_swap]
root       304  0.0  0.0      0     0 ?        S<   21:46   0:00 [hd-audio0]
root       327  0.0  0.0      0     0 ?        S<   21:46   0:00 [hd-audio1]
root       331  0.0  0.0   4924   996 ?        Ss   21:46   0:00 /usr/bin/mount.ntfs-3g /dev/sda4 /media/Datos -o rw,relatime
root       337  0.0  0.1   7608  3252 ?        Ss   21:46   0:00 /usr/sbin/syslog-ng -F
root       339  0.0  0.0   4800  1280 ?        Ss   21:46   0:00 /usr/sbin/crond -n
dbus       340  0.0  0.0   3384  1800 ?        Ss   21:46   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root       341  0.0  0.0   3336  1568 ?        Ss   21:46   0:00 /usr/lib/systemd/systemd-logind
root       347  0.0  0.0   3812   744 tty1     Ss+  21:46   0:00 /sbin/agetty --noclear tty1 38400 linux
root       348  0.0  0.0   3968  1040 ?        Ss   21:46   0:00 /usr/bin/kdm -nodaemon
root       455  0.0  0.2  29692  8296 ?        Ssl  21:46   0:01 /usr/lib/upower/upowerd
polkitd    463  0.0  0.3  61912 11272 ?        Ssl  21:46   0:00 /usr/lib/polkit-1/polkitd --no-debug
root       500  0.0  0.1  43028  4060 ?        Ssl  21:46   0:01 /usr/lib/udisks2/udisksd --no-debug
root      1119  0.0  0.0   2420   348 ?        Ss   21:58   0:00 dhcpcd
root      1248  0.4  1.1  86772 34320 tty7     Ssl+ 22:01   0:27 /usr/bin/X :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-WnL9Aa
root      1252  0.0  0.0   5468  2316 ?        S    22:01   0:00 -:0                   
ussr      1267  0.0  0.0   5196  1624 ?        Ss   22:01   0:00 /bin/sh /usr/bin/startkde
ussr      1278  0.0  0.0   3624   592 ?        S    22:01   0:00 /usr/bin/dbus-launch --sh-syntax --exit-with-session
ussr      1279  0.0  0.0   4300  1848 ?        Ss   22:01   0:01 /usr/bin/dbus-daemon --fork --print-pid 4 --print-address 6 --session
ussr      1305  0.0  0.0   4736   384 ?        Ss   22:01   0:00 /usr/bin/gpg-agent -s --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file
ussr      1308  0.0  0.0   4216   424 ?        Ss   22:01   0:00 /usr/bin/ssh-agent -s
root      1323  0.0  0.0   2032    56 ?        S    22:01   0:00 /usr/lib/kde4/libexec/start_kdeinit +kcminit_startup
ussr      1324  0.0  0.5 129264 16476 ?        Ss   22:01   0:00 kdeinit4: kdeinit4 Running...                  
ussr      1325  0.0  0.3 131292 11184 ?        S    22:01   0:00 kdeinit4: klauncher [kdeinit] --fd=9           
ussr      1327  0.0  1.0 215392 30976 ?        Sl   22:01   0:01 kdeinit4: kded4 [kdeinit]                      
ussr      1334  0.0  0.6 146508 18616 ?        S    22:01   0:00 kdeinit4: kglobalaccel [kdeinit]               
ussr      1338  0.0  0.5 162384 17088 ?        Sl   22:01   0:00 /usr/bin/kactivitymanagerd
ussr      1346  0.0  0.0   2168   284 ?        S    22:01   0:00 kwrapper4 ksmserver
ussr      1347  0.0  0.6 155184 18500 ?        Sl   22:01   0:00 kdeinit4: ksmserver [kdeinit]                  
ussr      1353  0.3  2.7 481808 83556 ?        Sl   22:01   0:19 kwin -session 1014cd7d2d4000134981367400000006900000_1363122074_66050
ussr      1363  0.0  0.8 148664 26072 ?        Sl   22:01   0:00 /usr/bin/knotify4
ussr      1367  0.4  4.5 466704 139528 ?       Sl   22:01   0:27 kdeinit4: plasma-desktop [kdeinit]             
ussr      1373  0.0  0.4  86180 15092 ?        S    22:01   0:00 /usr/bin/kuiserver
ussr      1379  0.0  0.1  45584  5780 ?        Sl   22:01   0:00 /usr/bin/akonadi_control
ussr      1381  0.0  0.3 204676 10096 ?        Sl   22:01   0:00 akonadiserver
ussr      1384  0.0  1.2 241804 38312 ?        Sl   22:01   0:01 /usr/bin/mysqld --defaults-file=/home/ussr/.local/share/akonadi/mysql.conf --datadir=/home/ussr/.local/
ussr      1418  0.0  0.5  85804 16604 ?        Sl   22:01   0:00 /usr/bin/akonadi_agent_launcher akonadi_akonotes_resource akonadi_akonotes_resource_0
ussr      1419  0.0  0.9 158040 29748 ?        S    22:01   0:00 /usr/bin/akonadi_archivemail_agent --identifier akonadi_archivemail_agent
ussr      1420  0.0  0.5  86000 16680 ?        Sl   22:01   0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_0
ussr      1421  0.0  0.5  85940 16876 ?        Sl   22:01   0:00 /usr/bin/akonadi_agent_launcher akonadi_maildir_resource akonadi_maildir_resource_0
ussr      1422  0.0  0.6  94976 19712 ?        S    22:01   0:00 /usr/bin/akonadi_maildispatcher_agent --identifier akonadi_maildispatcher_agent
ussr      1423  0.0  0.9 158060 30048 ?        S    22:01   0:00 /usr/bin/akonadi_mailfilter_agent --identifier akonadi_mailfilter_agent
ussr      1424  0.0  0.6  99780 18892 ?        Sl   22:01   0:00 /usr/bin/akonadi_nepomuk_feeder --identifier akonadi_nepomuk_feeder
ussr      1446  0.0  0.3 129528  9488 ?        S    22:01   0:00 kdeinit4: kio_http_cache_cleaner [kdeinit]     
ussr      1456  0.0  0.3  73352  9880 ?        Sl   22:01   0:00 /usr/bin/nepomukserver
ussr      1461  0.2  2.3 231052 71768 ?        SNl  22:01   0:12 /usr/bin/nepomukservicestub nepomukstorage
ussr      1471  0.6  1.4  57668 44308 ?        SNl  22:01   0:35 /usr/bin/virtuoso-t +foreground +configfile /tmp/virtuoso_ZT1461.ini +wait
ussr      1481  0.0  1.2 272872 37436 ?        Sl   22:01   0:00 kdeinit4: krunner [kdeinit]                    
ussr      1484  0.0  0.7 241356 24124 ?        Sl   22:01   0:00 kdeinit4: kmix [kdeinit] -session 1014cd7d2d400013498136850000
ussr      1488  0.0  0.4  87280 14960 ?        S    22:01   0:00 /usr/bin/nepomukcontroller -session 1014cd7d2d4000134981368500000006900010_1363122074_36315
ussr      1490  0.0  0.7 111408 23264 ?        Sl   22:01   0:04 yakuake -session 1014cd7d2d4000135280595900000005570044_1363122074_36424
ussr      1495  0.0  0.0   5360  2060 pts/0    Ss+  22:01   0:00 /bin/bash
ussr      1503  0.0  0.5  97452 16812 ?        Sl   22:01   0:00 /usr/lib/kde4/libexec/polkit-kde-authentication-agent-1
ussr      1504  0.0  0.5 105388 17392 ?        S    22:01   0:00 /usr/bin/korgac --icon korgac
ussr      1516  0.0  0.5 145452 17504 ?        S    22:01   0:00 kdeinit4: klipper [kdeinit]                    
ussr      1561  0.2  0.9 164820 27976 ?        Rl   22:01   0:12 kdeinit4: konsole [kdeinit]                    
ussr      1563  0.0  0.0   5356  2112 pts/2    Ss   22:01   0:00 /bin/bash
ussr      1565  0.0  0.6 109208 19384 ?        SNl  22:01   0:00 /usr/bin/nepomukservicestub nepomukfilewatch
ussr      1569  0.1  1.2 123320 37384 ?        SNl  22:01   0:08 /usr/bin/nepomukservicestub nepomukfileindexer
root      1825  0.0  0.0      0     0 ?        S    22:06   0:01 [kworker/1:1]
root      1837  0.0  0.0      0     0 ?        S    22:21   0:00 [flush-8:0]
root      1859  0.0  0.0      0     0 ?        S    23:10   0:00 [kworker/0:1]
root      1872  0.0  0.0      0     0 ?        S    23:10   0:00 [scsi_eh_6]
root      1873  0.0  0.0      0     0 ?        S    23:10   0:00 [usb-storage]
root      1876  0.0  0.0      0     0 ?        S    23:10   0:00 [kworker/1:0]
root      1877  0.0  0.0      0     0 ?        S    23:10   0:00 [kworker/u:0]
ussr      1919  0.0  0.0  35080  2892 ?        Sl   23:11   0:00 /usr/lib/at-spi2-core/at-spi-bus-launcher
ussr      1974  0.0  0.0   3020  1356 ?        S    23:12   0:00 /usr/bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
ussr      1977  0.0  0.1  17320  3152 ?        Sl   23:12   0:00 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
ussr      1980  0.0  0.0   8084  1968 ?        S    23:12   0:00 /usr/lib/GConf/gconfd-2
root      2036  0.0  0.0      0     0 ?        S    23:21   0:00 [kworker/0:0]
root      2044  0.0  0.0      0     0 ?        S    23:31   0:00 [kworker/0:2]
root      2047  0.0  0.0      0     0 ?        S    23:34   0:00 [flush-8:16]
ussr      2079  0.0  0.0   4676  1208 pts/2    R+   23:36   0:00 ps aux
I have checked in .bashrc and the prompt is still:
PS1='[\u@\h \W]\$ '
And \h means hostname... And if I check in /etc/hosts:
127.0.0.1 localhost.localdomain localhost
::1 localhost.localdomain localhost

So, something is wrong..

I don't know how to proceed, nor in the computer A, neither in the computer B.

Question C: Is possible to have any mechanism to know every file that is modified, add or delete on the whole system? Something like the log but for every file? I think is the only way to know what is going on.

Any help? Please, I'm so lost in this area..
 
Old 03-12-2013, 09:06 PM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
ZZipo, I have sent you a private message regarding your situation. We at LQSecurity will certainly help you with this situation. Please try to disturb the situations as little as possible and avoid rebooting, etc.

Would you please tell me what distribution your running, an estimate of the patch level (how judicious have you been in performing updates), what server processes you are running, if you are running any control panels such as plesk, etc.

I would also ask that you please run the following command as root to capture a process tree, open file list, and network connection status:
Code:
( \ps axfwwwe 2>&1; lsof -Pwln 2>&1; netstat -antTupe 2>&1; lastlog 2>&1; last 2>&1; who -wa 2>&1; find /tmp /var/tmp /usr/tmp /var/spool/cron -printf "%T@ %A@ %C@ %u %g %m %y \"%p\"\n" 2>&1 ) > /tmp/output.log
Please obtain copies of your log files and transfer them to a safe location. I would like to ask how far back your log files go and do they predate the suspected compromise? Are you familiar with the logwatch utility? Please obtain it and run it with the following options
Code:
--detail High --service All --range All --archives --numeric --save /path/to/logwatch.log
These commands should be run as root. The two coammands above will create a file called output.log in your /tmp folder and a file called logwatch.log. We will need to evaluate the output of these commands to gather information regarding the state of your system. We can make arrangements for you to either upload them or email them to us for analysis.

While you are obtaining this information, I will review what you have posted above and get back with you as soon as possible. Lastly, I would like for you to review the dated, but still valid, CERT Intruder Detection Checklist as it will give you an idea of the steps involved in investigating your situation. In essence, we will gather information regarding what is running on the system, open network connections, history information, look for hidden and modified files.
 
2 members found this post helpful.
Old 03-13-2013, 04:52 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Here is some follow up information for you. First, about computer A. Clamav is pretty good at detecting Windows viruses. It is not likely to tell you much about Linux infections, though. The Heuristics.Broken.Executable which you are getting on both systems means that the scanner has trouble following the executable machine code. See this thread from Ubuntu's Launchpad bug system regarding this message. Apparently this heuristic was intended to be a form of mail worm scanner. It does look like there is some garbage on the Windows system. I haven't investigated these items yet, but that is one thing we should check, however, Windows tends to ignore non Windows drive partitions and I doubt that Windows malware would take over a Linux system on the machine. It is more likely to have an issue directly with it.

On computer A, when you say connected directly to DSL is there a router in between and when you connected computer B was it in the same LAN or directly connceted to the DSL? I am curious as to where the DHCP server connection originated.

My suspicion is that no, it is unlikely that the markers (bookmarks?) in Firefox would have been accidentally modified in the manner you describe without some form of intrusion. Have a look at this page from Mozilla support which discusses where the marker files are stored. This gives us an idea of an area to investigate.

Your firewall settings look ok and indicate that your not running any server process. This is good and helps to limit your exposure. You will still need to investigate this machine THOROUGHLY. I understand your concerns with what happened with machine B, lets discuss that now.

One thing I would suggest you do is look at your /etc/dhcp/dhclient.conf. One of the things that is possible is to get the hostname via DHCP and it looks like the hostname was changed on your system. This can also have side effects and from googling this function it looks like the underlying X window system and display managers don't take kindly to it. Do you have a request line with host-name in it? If so, this is probably what happened. You can also look at your /etc/hostname file to see what is in there.

Looking at the log files, you can see where your system obtained a DHCP lease. Immediatly following this part of your KDE system crashed, "konsole[1156]: segfault at 84 ip b73128d4" Note the pid number 1156. Pids in this range are missing in your process list, but are immediately followed by /usr/bin/X :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-WnL9Aa, which looks like a restart of X, fitting with the theory that changing hostname conflicts with the display manager. The pause you saw was likely this crashing, restarting, and trying to generate a core dump.

Looking over your process list, I don't see anything particularly out of the ordinary. The -:0 with the PID immediately following the restart of X is a little odd, but I think it is part of the X system. The only thing I can see out of the ordinary on the process list is that your running KDE with some Gnome3 process, e.g. /etc/at-spi2/accessibility.conf and the following two lines. Googling these process pull up information about Arch packages and having both KDE and Gnome libraries and applications on the same system is not uncommon. I don't think that there is anything malicious about it.

So, as it stands, you still need to investigate computer A. I think we have a good theory as to what happened when you tried to connect with computer B. I would recommend that you change the network settings to use a static IP instead of DHCP next time you connect. You can also use a livecd for extra precaution as that can't be permanently written. The commands I provided earlier should be run in investigating machine A and we should start by capturing information about it.
 
1 members found this post helpful.
Old 03-13-2013, 12:02 PM   #5
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
I'm going to post some other new information and in the last part I answer both posts. Thank you in advance

Because of the maximum limit of chars I will post again and again.

Computer A

uname -r
3.1.10-1.16-desktop

openSUSE 12.1 (i586)
VERSION = 12.1
CODENAME = Asparagus

Last updated: Probably 6 months ago. (I don't know how to check it now)


Processes (ps -Al)
Code:
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   5408  2536 ?        Ss   Mar12   0:02 /sbin/init showopts
root         2  0.0  0.0      0     0 ?        S    Mar12   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    Mar12   0:00 [ksoftirqd/0]
root         6  0.0  0.0      0     0 ?        S    Mar12   0:00 [migration/0]
root         7  0.0  0.0      0     0 ?        SN   Mar12   0:16 [rcuc0]
root         8  0.0  0.0      0     0 ?        S    Mar12   0:00 [rcun0]
root         9  0.0  0.0      0     0 ?        S    Mar12   0:00 [rcub0]
root        10  0.0  0.0      0     0 ?        S    Mar12   0:00 [rcun1]
root        11  0.0  0.0      0     0 ?        S    Mar12   0:00 [rcub1]
root        12  0.0  0.0      0     0 ?        S    Mar12   0:00 [watchdog/0]
root        13  0.0  0.0      0     0 ?        S    Mar12   0:00 [migration/1]
root        15  0.0  0.0      0     0 ?        SN   Mar12   0:14 [rcuc1]
root        16  0.0  0.0      0     0 ?        S    Mar12   0:00 [ksoftirqd/1]
root        18  0.0  0.0      0     0 ?        S    Mar12   0:00 [watchdog/1]
root        19  0.0  0.0      0     0 ?        S    Mar12   0:00 [migration/2]
root        21  0.0  0.0      0     0 ?        SN   Mar12   0:12 [rcuc2]
root        22  0.0  0.0      0     0 ?        S    Mar12   0:00 [ksoftirqd/2]
root        23  0.0  0.0      0     0 ?        S    Mar12   0:00 [watchdog/2]
root        24  0.0  0.0      0     0 ?        S    Mar12   0:00 [migration/3]
root        26  0.0  0.0      0     0 ?        SN   Mar12   0:09 [rcuc3]
root        27  0.0  0.0      0     0 ?        S    Mar12   0:04 [ksoftirqd/3]
root        28  0.0  0.0      0     0 ?        S    Mar12   0:00 [watchdog/3]
root        29  0.0  0.0      0     0 ?        S<   Mar12   0:00 [cpuset]
root        30  0.0  0.0      0     0 ?        S<   Mar12   0:00 [khelper]
root        31  0.0  0.0      0     0 ?        S    Mar12   0:00 [kdevtmpfs]
root        32  0.0  0.0      0     0 ?        S<   Mar12   0:00 [netns]
root        33  0.0  0.0      0     0 ?        S    Mar12   0:00 [sync_supers]
root        34  0.0  0.0      0     0 ?        S    Mar12   0:00 [bdi-default]
root        35  0.0  0.0      0     0 ?        S<   Mar12   0:00 [kintegrityd]
root        36  0.0  0.0      0     0 ?        S<   Mar12   0:00 [kblockd]
root        37  0.0  0.0      0     0 ?        S<   Mar12   0:00 [ata_sff]
root        38  0.0  0.0      0     0 ?        S    Mar12   0:00 [khubd]
root        39  0.0  0.0      0     0 ?        S<   Mar12   0:00 [md]
root        41  0.0  0.0      0     0 ?        S    Mar12   0:00 [khungtaskd]
root        42  0.3  0.0      0     0 ?        S    Mar12   3:02 [kswapd0]
root        43  0.0  0.0      0     0 ?        SN   Mar12   0:00 [ksmd]
root        44  0.0  0.0      0     0 ?        SN   Mar12   0:02 [khugepaged]
root        45  0.0  0.0      0     0 ?        S    Mar12   0:00 [fsnotify_mark]
root        46  0.0  0.0      0     0 ?        S<   Mar12   0:00 [crypto]
root        50  0.0  0.0      0     0 ?        S<   Mar12   0:00 [kthrotld]
root        85  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_0]
root        86  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_1]
root        87  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_2]
root        88  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_3]
root        92  0.0  0.0      0     0 ?        S    Mar12   0:00 [kworker/u:3]
root       101  0.0  0.0      0     0 ?        S<   Mar12   0:00 [kpsmoused]
root       103  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_4]
root       104  0.0  0.0      0     0 ?        S    Mar12   0:03 [usb-storage]
root       106  0.0  0.0      0     0 ?        S    Mar12   0:00 [kworker/u:5]
root       141  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_5]
root       142  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_6]
root       143  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_7]
root       144  0.0  0.0      0     0 ?        S    Mar12   0:20 [usb-storage]
root       148  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_8]
root       149  0.0  0.0      0     0 ?        S    Mar12   0:00 [scsi_eh_9]
root       217  0.0  0.0      0     0 ?        S<   Mar12   0:00 [ttm_swap]
root       432  0.0  0.0      0     0 ?        S    Mar12   0:01 [jbd2/sda5-8]
root       433  0.0  0.0      0     0 ?        S<   Mar12   0:00 [ext4-dio-unwrit]
root       471  0.0  0.0   3236   348 ?        Ss   Mar12   0:00 /sbin/udevd
root       494  0.0  0.0      0     0 ?        S    Mar12   0:00 [kauditd]
root       495  0.0  0.0   2284   364 ?        Ss   Mar12   0:00 /lib/systemd/systemd-stdout-syslog-bridge
root       643  0.0  0.0   3148   256 ?        S    Mar12   0:00 /sbin/udevd
root       644  0.0  0.0   3148   244 ?        S    Mar12   0:00 /sbin/udevd
root       749  0.0  0.0      0     0 ?        S<   Mar12   0:00 [firewire]
root       782  0.0  0.0      0     0 ?        S<   Mar12   0:00 [hd-audio1]
root       824  0.0  0.0      0     0 ?        S<   Mar12   0:00 [hd-audio2]
root       881  0.8  0.0  12720  1580 ?        Ss   Mar12   7:49 /sbin/mount.ntfs-3g /dev/sdc1 /windows/datos -o rw,locale=es_ES.UTF-8
root       897  1.5  0.0  10540  2064 ?        Ss   Mar12  13:31 /sbin/mount.ntfs-3g /dev/sda3 /windows/othe -o rw,noexec,nosuid,nodev,users,gid=10
root       898  0.7  0.0   9780  1088 ?        Ss   Mar12   6:36 /sbin/mount.ntfs-3g /dev/sda4 /windows/caviarblue -o rw,locale=es_ES.UTF-8
root       903  0.0  0.0      0     0 ?        S    Mar12   0:12 [jbd2/sda6-8]
root       904  0.0  0.0      0     0 ?        S<   Mar12   0:00 [ext4-dio-unwrit]
root       963  0.0  0.0   3140   840 ?        Ss   Mar12   0:00 /lib/systemd/systemd-logind
root       988  0.0  0.0  40136   232 ?        Sl   Mar12   0:00 /sbin/rsyslogd -c 5 -f /etc/rsyslog.conf
root       994  0.0  0.0   1920   276 ?        Ss   Mar12   0:00 /sbin/acpid
avahi     1010  0.0  0.0   2940   676 ?        Ss   Mar12   0:00 avahi-daemon: running [linux-7sgr.local]
root      1021  0.0  0.0   1908   248 ?        Ss   Mar12   0:00 /usr/sbin/nscd
102       1043  0.0  0.0   3540  1308 ?        Ss   Mar12   0:12 /bin/dbus-daemon --system --address=systemd: --nofork --systemd-activation
root      1058  0.0  0.0   6288   184 ?        Ss   Mar12   0:03 /sbin/haveged -w 1024 -v 1
root      1199  0.0  0.0   7888   780 ?        Ss   Mar12   0:00 /usr/sbin/cupsd -C /etc/cups/cupsd.conf
root      1312  0.0  0.0   4124   308 ?        Ss   Mar12   0:00 /usr/bin/kdm
root      1427  5.6  1.1  65368 42660 tty7     Ss+  Mar12  50:26 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-Fx
root      1489  0.0  0.0   1908   268 tty1     Ss+  Mar12   0:00 /sbin/agetty tty1 38400
root      1703  0.0  0.0   5164   420 ?        S    Mar12   0:00 -:0         
root      1727  0.0  0.0  33660   992 ?        Ssl  Mar12   0:00 /usr/sbin/console-kit-daemon --no-daemon
root      1801  0.0  0.0  25224  2300 ?        Sl   Mar12   0:01 /usr/lib/polkit-1/polkitd --no-debug
userA      1825  0.0  0.0   4624   292 ?        Ss   Mar12   0:00 /bin/sh /usr/bin/startkde
root      1992  0.0  0.0   5248   492 ?        S    Mar12   0:00 /sbin/dhclient6 -6 -cf /var/lib/dhcp6/dhclient6.eth0.conf -lf /var/lib/dhcp6/dhcli
userA      1995  0.0  0.0   5464  1112 ?        Ss   Mar12   0:01 /usr/bin/gpg-agent --sh --daemon --write-env-file /home/userA/.gnupg/agent.info /et
userA      2115  0.0  0.0   3332   268 ?        S    Mar12   0:00 dbus-launch --sh-syntax --exit-with-session
userA      2116  0.0  0.0   4736  1612 ?        Ss   Mar12   0:02 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
root      2123  0.0  0.0   1752   112 ?        S    Mar12   0:00 /usr/lib/kde4/libexec/start_kdeinit +kcminit_startup
userA      2133  0.0  0.0  92820  1976 ?        Ss   Mar12   0:00 kdeinit4: kdeinit4 Running...                  
userA      2143  0.0  0.0  96676  3636 ?        S    Mar12   0:00 kdeinit4: klauncher [kdeinit] --fd=9           
userA      2213  0.0  0.1 216804  6720 ?        Sl   Mar12   0:06 kdeinit4: kded4 [kdeinit]                      
root      2533  0.0  0.0   2100   432 ?        Ss   Mar12   0:00 /sbin/dhcpcd --netconfig -L -E -HHH -c /etc/sysconfig/network/scripts/dhcpcd-hook
userA      2553  0.0  0.0 111996  3512 ?        S    Mar12   0:01 kdeinit4: kglobalaccel [kdeinit]               
root      2576  0.0  0.0  28016  1060 ?        Sl   Mar12   0:00 /usr/lib/upower/upowerd
userA      2601  0.0  0.0   1888     0 ?        S    Mar12   0:00 kwrapper4 ksmserver
userA      2605  0.0  0.0 119976  3448 ?        Sl   Mar12   0:01 kdeinit4: ksmserver [kdeinit]                  
root      2624  0.0  0.0  24100  1788 ?        Sl   Mar12   0:11 /usr/lib/udisks/udisks-daemon
root      2625  0.0  0.0   6308   160 ?        S    Mar12   0:00 udisks-daemon: not polling any devices
userA      2654  1.4  8.8 585524 339936 ?       Sl   Mar12  12:35 kwin -session 1014b108a5e8000134377289300000096170000_1363115313_870095
userA      2727  0.0  0.0  61432  2768 ?        S    Mar12   0:01 /usr/bin/kactivitymanagerd
userA      2804  0.0  0.1 266168  4040 ?        Sl   Mar12   0:02 /usr/bin/knotify4
userA      2836  0.2  0.7 350760 28952 ?        Sl   Mar12   2:09 kdeinit4: plasma-desktop [kdeinit]             
userA      2978  0.0  0.0  61184  2696 ?        S    Mar12   0:01 /usr/bin/kuiserver
userA      3048  0.0  0.0 110224  2292 ?        S    Mar12   0:03 kdeinit4: kaccess [kdeinit]                    
userA      3055  0.0  0.0 104028  1480 ?        Sl   Mar12   0:00 kdeinit4: nepomukserver [kdeinit]              
userA      3058  0.2  0.9 315204 35676 ?        Sl   Mar12   2:27 kdeinit4: krunner [kdeinit]                    
userA      3064  0.0  0.4 264532 15884 ?        SNl  Mar12   0:01 /usr/bin/nepomukservicestub nepomukstorage
userA      3080  0.0  0.3  49512 12752 ?        SNl  Mar12   0:10 /usr/bin/virtuoso-t +foreground +configfile /tmp/virtuoso_Ti3064.ini +wait
userA      3119  0.0  0.0  20364  1740 ?        Sl   Mar12   0:01 /usr/bin/akonadi_control
userA      3123  0.0  0.0 248556  1212 ?        Sl   Mar12   0:03 akonadiserver
userA      3130  0.0  0.2 253544  8312 ?        Sl   Mar12   0:19 /usr/sbin/mysqld --defaults-file=/home/userA/.local/share/akonadi//mysql.conf --dat
userA      3228  0.0  0.0  60248  2340 ?        S    Mar12   0:01 /usr/bin/nepomukcontroller -session 1014b108a5e8000134377292700000096170011_136311
userA      3231  0.0  0.2 272104  9184 ?        Sl   Mar12   0:02 kdeinit4: kmix [kdeinit] -session 1014b108a5e80001346397487000
userA      3241  0.0  0.1 115340  4092 ?        S    Mar12   0:01 /usr/bin/kget -session 1014b108a5e8000135447427400000059430038_1363115313_756240
userA      3274  0.0  0.0  67384  2356 ?        SN   Mar12   0:00 /usr/bin/nepomukservicestub nepomukbackupsync
userA      3275  0.0  0.0 120176  2140 ?        SN   Mar12   0:00 /usr/bin/nepomukservicestub digikamnepomukservice
userA      3276  0.0  0.1  90360  3996 ?        SNl  Mar12   0:02 /usr/bin/nepomukservicestub nepomukfilewatch
userA      3280  0.0  0.1  80288  5564 ?        SN   Mar12   0:00 /usr/bin/nepomukservicestub nepomukqueryservice
userA      3293  0.0  0.1 230116  6096 ?        Sl   Mar12   0:42 /usr/bin/pulseaudio --start --log-target=syslog
rtkit     3295  0.0  0.0  20824   364 ?        SNl  Mar12   0:01 /usr/lib/rtkit/rtkit-daemon
userA      3325  0.0  0.0  60340  2424 ?        Sl   Mar12   0:01 /usr/bin/akonadi_agent_launcher akonadi_akonotes_resource akonadi_akonotes_resourc
userA      3326  0.0  0.0  60336  2536 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_akonotes_resource akonadi_akonotes_resourc
userA      3327  0.0  0.0  59940  2528 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3328  0.0  0.0  59996  2372 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3329  0.0  0.0  59996  2556 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3330  0.0  0.0  59976  2360 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3331  0.0  0.0  59940  2332 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3340  0.0  0.0  59976  2396 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3342  0.0  0.0  59976  2360 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3343  0.0  0.0  60000  2380 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3344  0.0  0.0  59940  2540 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3345  0.0  0.0  59940  2516 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_contacts_resource akonadi_contacts_resourc
userA      3346  0.0  0.0  60588  2484 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_0
userA      3348  0.0  0.0  60600  2508 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_1
userA      3349  0.0  0.0  60604  2492 ?        Sl   Mar12   0:00 /usr/bin/akonadi_agent_launcher akonadi_ical_resource akonadi_ical_resource_2
userA      3354  0.0  0.0  60344  2472 ?        Sl   Mar12   0:01 /usr/bin/akonadi_agent_launcher akonadi_maildir_resource akonadi_maildir_resource_
userA      3357  0.0  0.0  69112  2848 ?        S    Mar12   0:01 /usr/bin/akonadi_maildispatcher_agent --identifier akonadi_maildispatcher_agent
userA      3366  0.0  0.0  64084  2884 ?        S    Mar12   0:01 /usr/bin/akonadi_nepomuk_calendar_feeder --identifier akonadi_nepomuk_calendar_fee
userA      3367  0.0  0.0  63388  2708 ?        S    Mar12   0:01 /usr/bin/akonadi_nepomuk_contact_feeder --identifier akonadi_nepomuk_contact_feede
userA      3368  0.0  0.0 107516  3424 ?        S    Mar12   0:01 /usr/bin/akonadi_nepomuk_email_feeder --identifier akonadi_nepomuk_email_feeder
userA      3471  0.0  0.0  70708  2140 ?        Sl   Mar12   0:00 /usr/lib/kde4/libexec/polkit-kde-authentication-agent-1
userA      3512  0.0  0.0   7536   752 ?        S    Mar12   0:00 /usr/lib/gvfs/gvfsd
userA      3516  0.0  0.0  34272   204 ?        Ssl  Mar12   0:00 /usr/lib/gvfs//gvfs-fuse-daemon /home/userA/.gvfs
root      3923  0.0  0.0   4668   408 ?        Ss   Mar12   0:00 /usr/sbin/cron -n
userA      4848  0.0  0.0   8032  1068 ?        S    Mar12   0:00 /usr/lib/GConf/2/gconfd-2
root      5490  0.0  0.0      0     0 ?        S    Mar12   0:08 [kworker/1:2]
root      6174  0.0  0.0      0     0 ?        S    02:12   0:03 [kworker/2:3]
root      6331  0.0  0.0      0     0 ?        S    03:30   0:00 [flush-8:0]
userA      8569  1.8  5.6 766616 217576 ?       Sl   08:43   1:33 /usr/lib/firefox/firefox
userA      8601  0.0  0.4  64256 17276 ?        S    08:43   0:00 /usr/lib/mozilla/kmozillahelper
userA      8693  9.0  0.5 127856 21652 ?        Rl   08:50   6:58 kdeinit4: konsole [kdeinit]                    
userA      8701  0.0  0.0   5432  2436 pts/1    Ss   08:50   0:00 /bin/bash
root      8751  0.0  0.0   7968  2352 pts/1    S+   08:54   0:00 sudo clamscan -r -l logclamav.log / --exclude-dir=/media/
root      8753 69.3  3.0 129096 117808 pts/1   R+   08:54  50:19 clamscan -r -l logclamav.log / --exclude-dir=/media/
root      8823  0.0  0.0      0     0 ?        S    09:17   0:01 [kworker/2:2]
root      8830  0.1  0.0      0     0 ?        S    09:26   0:03 [kworker/3:0]
root      8852  0.5  0.0      0     0 ?        S    09:34   0:10 [kworker/0:0]
root      8858  0.0  0.0      0     0 ?        S    09:40   0:01 [kworker/2:0]
userA      8945  0.0  0.0   5432  2432 pts/2    Ss   09:51   0:00 /bin/bash
root      9174  0.1  0.0      0     0 ?        S    09:53   0:01 [kworker/1:0]
root      9177  0.5  0.0      0     0 ?        S    09:55   0:03 [kworker/0:3]
userA      9178  1.7  0.9 166588 36800 ?        Sl   09:55   0:12 kdeinit4: kwrite [kdeinit]                     
root      9192  0.0  0.0      0     0 ?        S    09:57   0:00 [kworker/3:1]
root      9227  0.0  0.0      0     0 ?        S    10:00   0:00 [kworker/0:2]
root      9239  0.0  0.0      0     0 ?        S    10:00   0:00 [flush-8:32]
userA      9280  0.3  0.0   5768  1700 ?        SL   10:01   0:01 scdaemon --multi-server
userA      9301  8.3  1.0 205940 39936 ?        Sl   10:01   0:31 /usr/bin/vlc /windows/datos/Música/Caro emerald - Deleted scenes from the cutting 
root      9594  0.1  0.0      0     0 ?        S    10:02   0:00 [kworker/3:2]
root      9947  0.0  0.0      0     0 ?        S    10:05   0:00 [kworker/2:1]
userA      9987  0.0  0.1 102804  6520 ?        Sl   10:05   0:00 kdeinit4: kio_trash [kdeinit] trash local:/tmp/ksocket-userA/kl
userA      9988  0.0  0.1  93424  5280 ?        S    10:05   0:00 kdeinit4: kio_file [kdeinit] file local:/tmp/ksocket-userA/klau
userA      9997  0.0  0.1  93420  5280 ?        S    10:05   0:00 kdeinit4: kio_file [kdeinit] file local:/tmp/ksocket-userA/klau
userA      9998  0.1  0.3 112416 14036 ?        S    10:05   0:00 kdeinit4: kio_thumbnail [kdeinit] thumbnail local:/tmp/ksocket
root     10034  0.0  0.0      0     0 ?        S    10:05   0:00 [kworker/0:1]
userA     10128  1.5  0.6 143964 23404 ?        Sl   10:05   0:01 /usr/lib/firefox/plugin-container /usr/lib/browser-plugins/libflashplayer.so -greo
userA     10385  0.0  0.0      0     0 ?        Z    10:07   0:00 [scdaemon] <defunct>
userA     10387  0.0  0.0   2620   864 pts/2    R+   10:07   0:00 ps aux
I don't see above any process related with ftp, telnet, sshd (inactive below), etc. But above and below we can see dhcp6/dhcpcd/dhclient6 active.

[Continue..]
 
Old 03-13-2013, 12:03 PM   #6
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
[..Continue]
Services (sudo /sbin/service --status-all)
Code:
redirecting to systemctl
SuSEfirewall2_init.service - LSB: SuSEfirewall2 phase 1
          Loaded: loaded (/etc/init.d/SuSEfirewall2_init)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 938 ExecStart=/etc/init.d/SuSEfirewall2_init start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/SuSEfirewall2_init.service
Checking the status of SuSEfirewall2                                                                                                    running
redirecting to systemctl
acpid.service - ACPI Event Daemon
          Loaded: loaded (/lib/systemd/system/acpid.service; enabled)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 993 ExecStart=/sbin/acpid (code=exited, status=0/SUCCESS)
        Main PID: 994 (acpid)
          CGroup: name=systemd:/system/acpid.service
                  └ 994 /sbin/acpid
redirecting to systemctl
alsa-restore.service - Restore Sound Card State
          Loaded: loaded (/lib/systemd/system/alsa-restore.service; static)
          Active: inactive (dead) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
         Process: 909 ExecStart=/usr/sbin/alsactl restore (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/alsa-restore.service
redirecting to systemctl
atd.service - LSB: Start AT batch job daemon
          Loaded: loaded (/etc/init.d/atd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/atd.service
redirecting to systemctl
autofs.service - LSB: automatic mounting of filesystems
          Loaded: loaded (/etc/init.d/autofs)
          Active: inactive (dead)
          CGroup: name=systemd:/system/autofs.service
redirecting to systemctl
avahi-daemon.service - Avahi mDNS/DNS-SD Stack
          Loaded: loaded (/lib/systemd/system/avahi-daemon.service; enabled)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
        Main PID: 1010 (avahi-daemon)
          Status: "Server startup complete. Host name is linux-7sgr.local. Local service cookie is 198690539."
          CGroup: name=systemd:/system/avahi-daemon.service
                  └ 1010 avahi-daemon: running [linux-7sgr.local]
redirecting to systemctl
avahi-dnsconfd.service - Avahi DNS Configuration Daemon
          Loaded: loaded (/lib/systemd/system/avahi-dnsconfd.service; disabled)
          Active: inactive (dead)
          CGroup: name=systemd:/system/avahi-dnsconfd.service
redirecting to systemctl
bluez-coldplug.service - LSB: handles udev coldplug of bluetooth dongles
          Loaded: loaded (/etc/init.d/bluez-coldplug)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
         Process: 3920 ExecStart=/etc/init.d/bluez-coldplug start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/bluez-coldplug.service
redirecting to systemctl
cgroup.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)
redirecting to systemctl
systemd-tmpfiles-setup.service - Recreate Volatile Files and Directories
          Loaded: loaded (/lib/systemd/system/systemd-tmpfiles-setup.service; static)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
         Process: 906 ExecStart=/bin/systemd-tmpfiles --create --remove (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/systemd-tmpfiles-setup.service
redirecting to systemctl
clock.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)
redirecting to systemctl
crypto.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)
redirecting to systemctl
crypto-early.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)
redirecting to systemctl
cycle.service - LSB: Set default boot entry if called
          Loaded: loaded (/etc/init.d/boot.cycle)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:19 +0000; 14h ago
         Process: 470 ExecStart=/etc/init.d/boot.cycle start (code=exited, status=6/NOTCONFIGURED)
          CGroup: name=systemd:/system/cycle.service
redirecting to systemctl
device-mapper.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)

Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
dmraid.service - LSB: start dmraid
          Loaded: loaded (/etc/init.d/boot.dmraid)
          Active: inactive (dead)
          CGroup: name=systemd:/system/dmraid.service
redirecting to systemctl
klog.service - Early Kernel Boot Messages
          Loaded: loaded (/lib/systemd/system/klog.service; disabled)
          Active: inactive (dead)
          CGroup: name=systemd:/system/klog.service
redirecting to systemctl
ldconfig.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)
redirecting to systemctl
loadmodules.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)

Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
localfs.service - Shadow /etc/init.d/boot.localfs
          Loaded: loaded (/lib/systemd/system/localfs.service; static)
          Active: inactive (dead)
          CGroup: name=systemd:/system/localfs.service
redirecting to systemctl
localnet.service - LSB: setup hostname and yp
          Loaded: loaded (/etc/init.d/boot.localnet)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:20 +0000; 14h ago
         Process: 503 ExecStart=/etc/init.d/boot.localnet start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/localnet.service
redirecting to systemctl
lvm.service - LSB: start logical volumes
          Loaded: loaded (/etc/init.d/boot.lvm)
          Active: inactive (dead)
          CGroup: name=systemd:/system/lvm.service
redirecting to systemctl
lvm_monitor.service - LSB: start monitoring of LVM VGs now filesystems are mounted rw
          Loaded: loaded (/etc/init.d/boot.lvm_monitor)
          Active: inactive (dead)
          CGroup: name=systemd:/system/lvm_monitor.service
redirecting to systemctl
md.service - LSB: Multiple Device RAID
          Loaded: loaded (/etc/init.d/boot.md)
          Active: inactive (dead)
          CGroup: name=systemd:/system/md.service
redirecting to systemctl
multipath.service - LSB: Create multipath device targets
          Loaded: loaded (/etc/init.d/boot.multipath)
          Active: inactive (dead)
          CGroup: name=systemd:/system/multipath.service
redirecting to systemctl
fsck-root.service - File System Check on Root Device
          Loaded: loaded (/lib/systemd/system/fsck-root.service; static)
          Active: inactive (dead)
                  start condition failed at Tue, 12 Mar 2013 19:09:19 +0000; 14h ago
          CGroup: name=systemd:/system/fsck-root.service
redirecting to systemctl
swap.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)
redirecting to systemctl
systemd-sysctl.service - Apply Kernel Variables
          Loaded: loaded (/lib/systemd/system/systemd-sysctl.service; static)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:20 +0000; 14h ago
         Process: 528 ExecStart=/lib/systemd/systemd-sysctl (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/systemd-sysctl.service
redirecting to systemctl
udev.service - udev Kernel Device Manager
          Loaded: loaded (/lib/systemd/system/udev.service; static)
          Active: active (running) since Tue, 12 Mar 2013 19:09:19 +0000; 14h ago
        Main PID: 471 (udevd)
          CGroup: name=systemd:/system/udev.service
                  ├ 471 /sbin/udevd
                  ├ 643 /sbin/udevd
                  └ 644 /sbin/udevd
redirecting to systemctl
cifs.service - LSB: Import remote SMB/ CIFS (MS Windows) file systems
          Loaded: loaded (/etc/init.d/cifs)
          Active: inactive (dead)
          CGroup: name=systemd:/system/cifs.service
redirecting to systemctl
clamav-milter.service - LSB: milter compatible mail scanner
          Loaded: loaded (/etc/init.d/clamav-milter)
          Active: inactive (dead)
          CGroup: name=systemd:/system/clamav-milter.service
redirecting to systemctl
clamd.service - LSB: virus scanner daemon
          Loaded: loaded (/etc/init.d/clamd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/clamd.service
redirecting to systemctl
cpufreq.service - LSB: CPUFreq modules loader
          Loaded: loaded (/etc/init.d/cpufreq)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
         Process: 916 ExecStart=/etc/init.d/cpufreq start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/cpufreq.service
redirecting to systemctl
cron.service - Command Scheduler
          Loaded: loaded (/lib/systemd/system/cron.service; enabled)
          Active: active (running) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
        Main PID: 3923 (cron)
          CGroup: name=systemd:/system/cron.service
                  └ 3923 /usr/sbin/cron -n
redirecting to systemctl
cups.service - LSB: CUPS printer daemon
          Loaded: loaded (/etc/init.d/cups)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 1062 ExecStart=/etc/init.d/cups start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/cups.service
                  └ 1199 /usr/sbin/cupsd -C /etc/cups/cupsd.conf
redirecting to systemctl
dbus.service - D-Bus System Message Bus
          Loaded: loaded (/lib/systemd/system/dbus.service; static)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 1024 ExecStartPre=/bin/rm -f /var/run/dbus/pid (code=exited, status=0/SUCCESS)
         Process: 1003 ExecStartPre=/bin/dbus-uuidgen --ensure (code=exited, status=0/SUCCESS)
        Main PID: 1043 (dbus-daemon)
          CGroup: name=systemd:/system/dbus.service
                  ├ 1043 /bin/dbus-daemon --system --address=systemd: --nofork --systemd-activation
                  ├ 1801 /usr/lib/polkit-1/polkitd --no-debug
                  ├ 2576 /usr/lib/upower/upowerd
                  ├ 2624 /usr/lib/udisks/udisks-daemon
                  ├ 2625 udisks-daemon: not polling any devices
                  └ 3295 /usr/lib/rtkit/rtkit-daemon
redirecting to systemctl
dnsmasq.service - LSB: Starts internet name service masq caching server (DNS)
          Loaded: loaded (/etc/init.d/dnsmasq)
          Active: inactive (dead)
          CGroup: name=systemd:/system/dnsmasq.service
Checking for service syslog:                                                                                                            running
redirecting to systemctl
freshclam.service - LSB: virus scanner daemon
          Loaded: loaded (/etc/init.d/freshclam)
          Active: inactive (dead)
          CGroup: name=systemd:/system/freshclam.service
Neither the variables MOUSEDEVICE and MOUSETYPE nor the variable GPM_PARAM
is set in /etc/sysconfig/mouse
Run 'yast mouse' to set up gpm
redirecting to systemctl
haveged.service - Haveged Entropy Gathering Daemon
          Loaded: loaded (/lib/systemd/system/haveged.service; enabled)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 995 ExecStart=/sbin/haveged -w 1024 -v 1 (code=exited, status=0/SUCCESS)
        Main PID: 1058 (haveged)
          CGroup: name=systemd:/system/haveged.service
                  └ 1058 /sbin/haveged -w 1024 -v 1
redirecting to systemctl
joystick.service - LSB: Set up analog joysticks
          Loaded: loaded (/etc/init.d/joystick)
          Active: inactive (dead)
          CGroup: name=systemd:/system/joystick.service
redirecting to systemctl
kbd.service
          Loaded: masked (/dev/null)
          Active: inactive (dead)

Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
kexec.service - Reboot via kexec
          Loaded: loaded (/lib/systemd/system/kexec.service; static)
          Active: inactive (dead)
          CGroup: name=systemd:/system/kexec.service
redirecting to systemctl
ksysguardd.service - LSB: KDE ksysguard daemon
          Loaded: loaded (/etc/init.d/ksysguardd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/ksysguardd.service
redirecting to systemctl
lirc.service - LSB: lirc daemon
          Loaded: loaded (/etc/init.d/lirc)
          Active: inactive (dead)
          CGroup: name=systemd:/system/lirc.service
redirecting to systemctl
mdadmd.service - LSB: mdadmd daemon monitoring MD devices
          Loaded: loaded (/etc/init.d/mdadmd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/mdadmd.service
redirecting to systemctl
microcode.ctl.service - LSB: CPU microcode updater
          Loaded: loaded (/etc/init.d/microcode.ctl)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
         Process: 914 ExecStart=/etc/init.d/microcode.ctl start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/microcode.ctl.service
redirecting to systemctl
multipathd.service - LSB: Starts multipath daemon
          Loaded: loaded (/etc/init.d/multipathd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/multipathd.service
redirecting to systemctl
mysql.service - LSB: Start the MySQL database server
          Loaded: loaded (/etc/init.d/mysql)
          Active: inactive (dead)
          CGroup: name=systemd:/system/mysql.service
redirecting to systemctl
network.service - LSB: Configure the localfs depending network interfaces
          Loaded: loaded (/etc/init.d/network)
          Active: active (running) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
         Process: 1061 ExecStart=/etc/init.d/network start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/network.service
                  ├ 1992 /sbin/dhclient6 -6 -cf /var/lib/dhcp6/dhclient6.eth0.conf -lf /var/lib/dhcp6/dhclient6.eth0.lease -pf /var/run/dhclie...
                  └ 2533 /sbin/dhcpcd --netconfig -L -E -HHH -c /etc/sysconfig/network/scripts/dhcpcd-hook -t 0 -h linux-7sgr eth0
redirecting to systemctl
network-remotefs.service - LSB: Configure the remote-fs depending network interfaces
          Loaded: loaded (/etc/init.d/network-remotefs)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
         Process: 3935 ExecStart=/etc/init.d/network-remotefs start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/network-remotefs.service
redirecting to systemctl
nfs.service - LSB: NFS client services
          Loaded: loaded (/etc/init.d/nfs)
          Active: inactive (dead)
          CGroup: name=systemd:/system/nfs.service
redirecting to systemctl
nmb.service - LSB: Samba NetBIOS naming service over IP
          Loaded: loaded (/etc/init.d/nmb)
          Active: inactive (dead)
          CGroup: name=systemd:/system/nmb.service
redirecting to systemctl
nscd.service - LSB: Start Name Service Cache Daemon
          Loaded: loaded (/etc/init.d/nscd)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 1008 ExecStart=/etc/init.d/nscd start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/nscd.service
                  └ 1021 /usr/sbin/nscd
redirecting to systemctl
ntp.service - LSB: Network time protocol daemon (ntpd)
          Loaded: loaded (/etc/init.d/ntp)
          Active: inactive (dead)
          CGroup: name=systemd:/system/ntp.service
redirecting to systemctl
openvpn.service - LSB: OpenVPN tunnel
          Loaded: loaded (/etc/init.d/openvpn)
          Active: inactive (dead)
          CGroup: name=systemd:/system/openvpn.service
redirecting to systemctl
pm-profiler.service - LSB: Script infrastructure to enable/disable certain power management functions
          Loaded: loaded (/etc/init.d/pm-profiler)
          Active: inactive (dead)
          CGroup: name=systemd:/system/pm-profiler.service
redirecting to systemctl
Failed to issue method call: Unknown unit
redirecting to systemctl
powerd.service - LSB: Start the UPS monitoring daemon
          Loaded: loaded (/etc/init.d/powerd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/powerd.service
redirecting to systemctl
systemd-random-seed-load.service - Load Random Seed
          Loaded: loaded (/lib/systemd/system/systemd-random-seed-load.service; static)
          Active: inactive (dead) since Tue, 12 Mar 2013 19:09:22 +0000; 14h ago
         Process: 533 ExecStart=/lib/systemd/systemd-random-seed load (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/systemd-random-seed-load.service
redirecting to systemctl
raw.service - LSB: raw devices
          Loaded: loaded (/etc/init.d/raw)
          Active: inactive (dead)
          CGroup: name=systemd:/system/raw.service
redirecting to systemctl
rpcbind.service - LSB: TI-RPC program number mapper
          Loaded: loaded (/etc/init.d/rpcbind)
          Active: inactive (dead)
          CGroup: name=systemd:/system/rpcbind.service
redirecting to systemctl
rpmconfigcheck.service - LSB: rpm config file scan
          Loaded: loaded (/etc/init.d/rpmconfigcheck)
          Active: inactive (dead)
          CGroup: name=systemd:/system/rpmconfigcheck.service
redirecting to systemctl
rsyncd.service - LSB: Start the rsync server daemon
          Loaded: loaded (/etc/init.d/rsyncd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/rsyncd.service
redirecting to systemctl
setserial.service - LSB: Initializes the serial ports
          Loaded: loaded (/etc/init.d/setserial)
          Active: inactive (dead)
          CGroup: name=systemd:/system/setserial.service
/usr/sbin/FOO not installed
redirecting to systemctl
smartd.service - Self Monitoring and Reporting Technology (SMART) Daemon
          Loaded: loaded (/lib/systemd/system/smartd.service; disabled)
          Active: inactive (dead)
          CGroup: name=systemd:/system/smartd.service
redirecting to systemctl
smb.service - LSB: Samba SMB/CIFS file and print server
          Loaded: loaded (/etc/init.d/smb)
          Active: inactive (dead)
          CGroup: name=systemd:/system/smb.service
redirecting to systemctl
smolt.service - LSB: Enables automated checkins with smolt
          Loaded: loaded (/etc/init.d/smolt)
          Active: inactive (dead)
          CGroup: name=systemd:/system/smolt.service
redirecting to systemctl
splash.service - LSB: Splash screen setup
          Loaded: loaded (/etc/init.d/splash)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 971 ExecStart=/etc/init.d/splash start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/splash.service
redirecting to systemctl
splash_early.service - LSB: kills animation after network start
          Loaded: loaded (/etc/init.d/splash_early)
          Active: active (exited) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
         Process: 3921 ExecStart=/etc/init.d/splash_early start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/splash_early.service
redirecting to systemctl
sshd.service - LSB: Start the sshd daemon
          Loaded: loaded (/etc/init.d/sshd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/sshd.service
redirecting to systemctl
syslog.service - System Logging Service
          Loaded: loaded (/lib/systemd/system/syslog.service; enabled)
          Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
         Process: 984 ExecStart=/sbin/rsyslogd -c 5 -f /etc/rsyslog.conf (code=exited, status=0/SUCCESS)
         Process: 982 ExecStartPre=/var/run/rsyslog/addsockets (code=exited, status=0/SUCCESS)
         Process: 923 ExecStartPre=/bin/systemctl stop systemd-kmsg-syslogd.service (code=exited, status=0/SUCCESS)
        Main PID: 988 (rsyslogd)
          CGroup: name=systemd:/system/syslog.service
                  └ 988 /sbin/rsyslogd -c 5 -f /etc/rsyslog.conf
redirecting to systemctl
xdm.service - LSB: X Display Manager
          Loaded: loaded (/etc/init.d/xdm)
          Active: active (running) since Tue, 12 Mar 2013 19:09:31 +0000; 14h ago
         Process: 1068 ExecStart=/etc/init.d/xdm start (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/xdm.service
                  ├ 1312 /usr/bin/kdm
                  └ 1427 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-FxZ3mb
redirecting to systemctl
xfs.service - LSB: X Font Server
          Loaded: loaded (/etc/init.d/xfs)
          Active: inactive (dead)
          CGroup: name=systemd:/system/xfs.service
redirecting to systemctl
xinetd.service - LSB: Starts the xinet daemon. Be aware that xinetd doesn't start if no service is configured to run under it. To enable xinetd services go to YaST Network Services (xinetd) section.
          Loaded: loaded (/etc/init.d/xinetd)
          Active: inactive (dead)
          CGroup: name=systemd:/system/xinetd.service
redirecting to systemctl
ypbind.service - LSB: Start ypbind (necessary for a NIS client)
          Loaded: loaded (/etc/init.d/ypbind)
          Active: inactive (dead)
          CGroup: name=systemd:/system/ypbind.service
Mozilla Firefox 14.0.1
Code:
Plugins:
  - IcedTea-Web Plugin (using IcedTea-Web 1.2 (suse-3.1-i386)) - to execute Java Applets
  - PackageKit - for installing Applications (new) - First time I see this plugin, but probably always have been here in the Firefox of Opensuse.
  - Shockwave Flash 11.2 r202
  - Silverlight Plug-In 4.0.51204.0

Addons:
  - Adblock Plus
  - All-in-One Sidebar
  - Blank Your Monitor + Easy Reading
  - DownloadHelper
  - Novell Moonlight
  - openSUSE Firefox extensions
  - Personas
  - Wiktionary and Google Translate
The computerA is usually connected (nearly 24/7) and between the normal using (not attack identified) and the notification of modification of the bookmarks (possible attack performed) it was 1 day in between. They didn't need to log in again, because the computer was switched on and only with the screen blacked out.


[Continue..]
 
Old 03-13-2013, 12:04 PM   #7
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
[..Continue]

Router
The router has the possibility to be used by wireless, but is deactivated. The only wires connected directly to the router goes to the computerA. There is no way to be tapped. Impossible to be other users (intruders) from the same LAN.
Only two possibilities:
- tap the wire in some point from our house to the DSLAM (telco's), the wires of the neighborhood.
- attack from outside

Router has a easy password to access, but I think first it has to be in the LAN to can connect, isn't it?
For sure none of the legitimate users access the router.
I have to say, I trust in the legitimate users 120%.

I have changed the physical address to show it here.

Code:
ARP Table
IP address 	Physical Address 	Interface 	Static 	 
192.168.1.33	sf:sf:sf:sf:sf:sf	eth0		no


Routing Table
Destination 	Netmask 	Gateway 	Interface 	Metric 	 
0.0.0.0 	0.0.0.0 	0.0.0.0 	ppp-0 	1


IP Filter Configuration
IP Filtering: Disabled


Port Forwarding Configuration
Name 	Protocol 	External Port 	Internal IP 	Internal Port 			 		 
ppp-0 	 
eMULE 	TCP 		37000 		192.168.1.33 	37000		 
eMULE 	UDP 		8000 		192.168.1.33 	8000 


Vitual Server Configuration
DMZ Host
Interface 	DMZ Host 		 
ppp-0 		N/A 		 
ppp-1 		N/A 		 


MAC Filtering
Disabled


Quality of Service Configuration
Traffic Name 	Priority 	VLAN ID Min-Max 	IP TOS 		802.1p 	[Source IP] AddressNetmask 	Start Port	End Port 	[Destination IP] AddressNetmask 	Start Port	End Port 	 
Profile Name: voip 	 
Rule: voip 	7 		-1--1 			Normal Service 	-1 	0.0.0.0		0.0.0.0 	0		65535 		81.47.224.0	255.255.252.0 		0		65535
NMAP in Computer A
sudo nmap -v -sT 192.168.1.0/24
Code:
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2013-03-13 10:43 WET
Initiating ARP Ping Scan at 10:43
Scanning 33 hosts [1 port/host]
Completed ARP Ping Scan at 10:43, 0.65s elapsed (33 total hosts)
Initiating Parallel DNS resolution of 33 hosts. at 10:43
Completed Parallel DNS resolution of 33 hosts. at 10:43, 0.06s elapsed
Initiating Parallel DNS resolution of 1 host. at 10:43
Completed Parallel DNS resolution of 1 host. at 10:43, 0.06s elapsed
Initiating Connect Scan at 10:43
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 23/tcp on 192.168.1.1
Discovered open port 21/tcp on 192.168.1.1
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 8008/tcp on 192.168.1.1
Discovered open port 2800/tcp on 192.168.1.1
Completed Connect Scan at 10:43, 1.11s elapsed (1000 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.58s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
23/tcp   open  telnet
53/tcp   open  domain
80/tcp   open  http
2800/tcp open  acc-raid
8008/tcp open  http
MAC Address: sf:sf:sf:sf:sf:sf (sfsfsfs.)

Initiating ARP Ping Scan at 10:43
Scanning 222 hosts [1 port/host]
Completed ARP Ping Scan at 10:43, 9.24s elapsed (222 total hosts)
Initiating Connect Scan at 10:43
Scanning 192.168.1.33 [1000 ports]
Completed Connect Scan at 10:43, 0.01s elapsed (1000 total ports)
Nmap scan report for 192.168.1.33
Host is up (0.00022s latency).
All 1000 scanned ports on 192.168.1.33 are closed

Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (2 hosts up) scanned in 11.26 seconds
           Raw packets sent: 509 (14.252KB) | Rcvd: 1 (28B)
sudo nmap -sT -O localhost
Code:
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2013-03-13 10:47 WET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000071s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
631/tcp open  ipp
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(
....)

Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.63 seconds
I see in port forwarding two ports for emule (really weird... several years without using that program), but then nmap doesn't detect open that ports. Why?

Computer B - The next results is without internet connection. (If I connect ethernet I will need other services like iptables, dhcpcd,... that are not listed now)

Executed without internet connection:
systemctl list-units --full | grep active
Code:
proc-sys-fs-binfmt_misc.automount                                                        loaded active waiting   Arbitrary Executable File Formats File System Automount Point
sys-devices-pci0000:00-0000:00:01.0-0000:01:00.1-sound-card1.device                      loaded active plugged   /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.1/sound/card1
sys-devices-pci0000:00-0000:00:1b.0-sound-card0.device                                   loaded active plugged   /sys/devices/pci0000:00/0000:00:1b.0/sound/card0
sys-devices-pci0000:00-0000:00:1c.0-0000:02:00.0-net-wlan0.device                        loaded active plugged   /sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/net/wlan0
sys-devices-pci0000:00-0000:00:1c.3-0000:06:00.0-net-eth0.device                         loaded active plugged   /sys/devices/pci0000:00/0000:00:1c.3/0000:06:00.0/net/eth0
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda1.device loaded active plugged   ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda2.device loaded active plugged   ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda3.device loaded active plugged   ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda4.device loaded active plugged   ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda5.device loaded active plugged   ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda6.device loaded active plugged   ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda.device      loaded active plugged   ST9500325AS
sys-devices-platform-serial8250-tty-ttyS0.device                                         loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS0
sys-devices-platform-serial8250-tty-ttyS1.device                                         loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS1
sys-devices-platform-serial8250-tty-ttyS2.device                                         loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS2
sys-devices-platform-serial8250-tty-ttyS3.device                                         loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS3
sys-module-configfs.device                                                               loaded active plugged   /sys/module/configfs
sys-module-fuse.device                                                                   loaded active plugged   /sys/module/fuse
sys-subsystem-net-devices-eth0.device                                                    loaded active plugged   /sys/subsystem/net/devices/eth0
sys-subsystem-net-devices-wlan0.device                                                   loaded active plugged   /sys/subsystem/net/devices/wlan0
-.mount                                                                                  loaded active mounted   /
dev-hugepages.mount                                                                      loaded active mounted   Huge Pages File System
dev-mqueue.mount                                                                         loaded active mounted   POSIX Message Queue File System
media-Datos.mount                                                                        loaded active mounted   /media/Datos
sys-fs-fuse-connections.mount                                                            loaded active mounted   FUSE Control File System
sys-kernel-config.mount                                                                  loaded active mounted   Configuration File System
sys-kernel-debug.mount                                                                   loaded active mounted   Debug File System
tmp.mount                                                                                loaded active mounted   /tmp
systemd-ask-password-console.path                                                        loaded active waiting   Dispatch Password Requests to Console Directory Watch
systemd-ask-password-wall.path                                                           loaded active waiting   Forward Password Requests to Wall Directory Watch
cronie.service                                                                           loaded active running   Periodic Command Scheduler
dbus.service                                                                             loaded active running   D-Bus System Message Bus
getty@tty1.service                                                                       loaded active running   Getty on tty1
iptables.service                                                                         loaded active exited    Packet Filtering Framework
kdm.service                                                                              loaded active running   K Display Manager
lm_sensors.service                                                                       loaded active exited    Initialize hardware monitoring sensors
polkit.service                                                                           loaded active running   Authorization Manager
rc-local.service                                                                         loaded active exited    /etc/rc.local Compatibility
syslog-ng.service                                                                        loaded active running   System Logger Daemon
systemd-journald.service                                                                 loaded active running   Journal Service
systemd-logind.service                                                                   loaded active running   Login Service
systemd-modules-load.service                                                             loaded active exited    Load Kernel Modules
systemd-remount-fs.service                                                               loaded active exited    Remount Root and Kernel File Systems
systemd-sysctl.service                                                                   loaded active exited    Apply Kernel Variables
systemd-tmpfiles-setup.service                                                           loaded active exited    Recreate Volatile Files and Directories
systemd-udev-trigger.service                                                             loaded active exited    udev Coldplug all Devices
systemd-udevd.service                                                                    loaded active running   udev Kernel Device Manager
systemd-user-sessions.service                                                            loaded active exited    Permit User Sessions
systemd-vconsole-setup.service                                                           loaded active exited    Setup Virtual Console
udisks2.service                                                                          loaded active running   Disk Manager
upower.service                                                                           loaded active running   Daemon for power management
dbus.socket                                                                              loaded active running   D-Bus System Message Bus Socket
dmeventd.socket                                                                          loaded active listening Device-mapper event daemon FIFOs
lvmetad.socket                                                                           loaded active listening LVM2 metadata daemon socket
syslog.socket                                                                            loaded active running   Syslog Socket
systemd-initctl.socket                                                                   loaded active listening /dev/initctl Compatibility Named Pipe
systemd-journald.socket                                                                  loaded active running   Journal Socket
systemd-shutdownd.socket                                                                 loaded active listening Delayed Shutdown Socket
systemd-udevd-control.socket                                                             loaded active listening udev Control Socket
systemd-udevd-kernel.socket                                                              loaded active running   udev Kernel Socket
dev-sda6.swap                                                                            loaded active active    /dev/sda6
arch-daemons.target                                                                      loaded active active    Arch Daemons
basic.target                                                                             loaded active active    Basic System
cryptsetup.target                                                                        loaded active active    Encrypted Volumes
getty.target                                                                             loaded active active    Login Prompts
graphical.target                                                                         loaded active active    Graphical Interface
local-fs-pre.target                                                                      loaded active active    Local File Systems (Pre)
local-fs.target                                                                          loaded active active    Local File Systems
multi-user.target                                                                        loaded active active    Multi-User
remote-fs.target                                                                         loaded active active    Remote File Systems
sockets.target                                                                           loaded active active    Sockets
sound.target                                                                             loaded active active    Sound Card
swap.target                                                                              loaded active active    Swap
sysinit.target                                                                           loaded active active    System Initialization
syslog.target                                                                            loaded active active    Syslog
systemd-tmpfiles-clean.timer                                                             loaded active waiting   Daily Cleanup of Temporary Directories
76 loaded units listed. Pass --all to see loaded but inactive units, too.
sudo nmap -v -sT localhost
Code:
Starting Nmap 6.25 ( http://nmap.org ) at 2013-03-13 13:01 CET
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Initiating Connect Scan at 13:01
Scanning localhost (127.0.0.1) [1000 ports]
Completed Connect Scan at 13:01, 0.03s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00058s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
All 1000 scanned ports on localhost (127.0.0.1) are closed

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
[Connecting to the LAN and therefore to Internet]
If I try to connect to internet now, it doesn't work. I can do sudo ifconfig eth0 up, but sudo dhcpcd eth0 doesn't work.
It says: eth0 sending IPv6 Router Solicitation.... finally no IPv6 Routers available. Timed out. I know that it has to be IPv4, but yesterday it worked, today not.
If I try to do ping 192.168.1.1 it says: network is unreachable.
I have to edit /etc/dhcpcd.conf manually and modify this lines:
#noipv4ll
noipv6rs

Also, modify the /etc/hosts and comment ::1 line
But as I said, i didn't modified them to the inverse, and yesterday (first time I connect computerB to the LAN of computerA it worked correctly the dhcpcd for ipv4)

As I see, still not network connection... at least dhcpcd has assigned me an ip, etc, but it is not the normal in range 192.168.1.x (as the router 192.168.1.1 and the other pc 192.168.1.33)
but 169.254.67.213, netmask 255.255.0.0 and broadcast 169.254.255.255
Something weird... and of course, still network is unreachable if I try to do ping to google or the router.
I have to reset manually the router to can work properly from the computerB.

Anormal behaviour
The point is after I connect to the Internet (ping that works) the computer get slowly, emacs doesn't work, if I try to open another terminal it says KDEInit could not launch '/usr/bin/konsole'
So, something goes wrong.

[Continue..]
 
Old 03-13-2013, 12:10 PM   #8
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
[..Continue]

uname -r
3.7.9-2-ARCH

Updated almost every month. I do it just by pacman -Syu
I don't have really idea if appear errors, because there are hundreds of programs and packages and I'm quite newbie with Linux.
When I believed that the computerA was on risk because of that, I checked the ports (iptables, firewall) of my ArchLinux, and it was completely open in the rules, is because I changed to systemd and create the Simple Stateful Firewall for iptables of the ComputerB. But It wasn't in the same LAN, so no risk of intruder in that time.

NMAP from ComputerA to ComputerB
Code:
Initiating Connect Scan at 13:51
Scanning 192.168.1.34 [1000 ports]
Completed Connect Scan at 13:52, 50.80s elapsed (1000 total ports)
Nmap scan report for 192.168.1.34
Host is up (0.98s latency).
Not shown: 999 filtered ports
PORT   STATE  SERVICE
80/tcp closed http
MAC Address: xf:xf:xf:xf:xf:xf (xfxfxf.)

Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (3 hosts up) scanned in 62.24 seconds
           Raw packets sent: 508 (14.224KB) | Rcvd: 2 (56B)
ps aux in computerB
Code:
F S   UID   PID  PPID  C PRI  NI ADDR SZ WCHAN  TTY          TIME CMD
4 S     0     1     0  0  80   0 -  1261 epoll_ ?        00:00:00 systemd
1 S     0     2     0  0  80   0 -     0 kthrea ?        00:00:00 kthreadd
1 S     0     3     2  0  80   0 -     0 smpboo ?        00:00:00 ksoftirqd/0
1 S     0     5     2  0  60 -20 -     0 worker ?        00:00:00 kworker/0:0H
1 S     0     7     2  0  60 -20 -     0 worker ?        00:00:00 kworker/u:0H
1 S     0     8     2  0 -40   - -     0 cpu_st ?        00:00:00 migration/0
1 S     0     9     2  0  80   0 -     0 rcu_gp ?        00:00:00 rcu_preempt
1 S     0    10     2  0  80   0 -     0 rcu_gp ?        00:00:00 rcu_bh
1 S     0    11     2  0  80   0 -     0 rcu_gp ?        00:00:00 rcu_sched
5 S     0    12     2  0 -40   - -     0 smpboo ?        00:00:00 watchdog/0
5 S     0    13     2  0 -40   - -     0 smpboo ?        00:00:00 watchdog/1
1 S     0    14     2  0  80   0 -     0 smpboo ?        00:00:00 ksoftirqd/1
1 S     0    15     2  0 -40   - -     0 cpu_st ?        00:00:00 migration/1
1 S     0    17     2  0  60 -20 -     0 worker ?        00:00:00 kworker/1:0H
1 S     0    18     2  0  60 -20 -     0 rescue ?        00:00:00 cpuset
1 S     0    19     2  0  60 -20 -     0 rescue ?        00:00:00 khelper
5 S     0    20     2  0  80   0 -     0 devtmp ?        00:00:00 kdevtmpfs
1 S     0    21     2  0  60 -20 -     0 rescue ?        00:00:00 netns
1 S     0    22     2  0  80   0 -     0 bdi_fo ?        00:00:00 bdi-default
1 S     0    23     2  0  60 -20 -     0 rescue ?        00:00:00 kblockd
1 S     0    26     2  0  80   0 -     0 watchd ?        00:00:00 khungtaskd
1 S     0    27     2  0  80   0 -     0 kswapd ?        00:00:00 kswapd0
1 S     0    28     2  0  85   5 -     0 ksm_sc ?        00:00:00 ksmd
1 S     0    29     2  0  99  19 -     0 khugep ?        00:00:00 khugepaged
1 S     0    30     2  0  80   0 -     0 fsnoti ?        00:00:00 fsnotify_mark
1 S     0    31     2  0  60 -20 -     0 rescue ?        00:00:00 crypto
1 S     0    35     2  0  60 -20 -     0 rescue ?        00:00:00 kthrotld
1 S     0    36     2  0  80   0 -     0 worker ?        00:00:00 kworker/1:2
1 S     0    37     2  0  60 -20 -     0 rescue ?        00:00:00 deferwq
1 S     0    78     2  0  80   0 -     0 hub_th ?        00:00:00 khubd
1 S     0    79     2  0  60 -20 -     0 rescue ?        00:00:00 ata_sff
1 S     0    80     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_0
1 S     0    81     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_1
1 S     0    82     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_2
1 S     0    83     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_3
1 S     0    84     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_4
1 S     0    85     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_5
1 S     0    88     2  0  80   0 -     0 worker ?        00:00:00 kworker/u:4
1 S     0    89     2  0  80   0 -     0 worker ?        00:00:00 kworker/u:5
1 S     0    92     2  0  80   0 -     0 scsi_e ?        00:00:00 scsi_eh_6
1 S     0    93     2  0  80   0 -     0 usb_st ?        00:00:00 usb-storage
1 S     0    96     2  0  60 -20 -     0 worker ?        00:00:00 kworker/1:1H
1 S     0    97     2  0  60 -20 -     0 worker ?        00:00:00 kworker/0:1H
1 S     0    98     2  0  80   0 -     0 worker ?        00:00:00 kworker/0:2
1 S     0   106     2  0  80   0 -     0 kjourn ?        00:00:00 jbd2/sda5-8
1 S     0   107     2  0  60 -20 -     0 rescue ?        00:00:00 ext4-dio-unwrit
4 S     0   124     1  0  80   0 -  2752 epoll_ ?        00:00:00 systemd-udevd
4 S     0   129     1  9  80   0 - 69899 epoll_ ?        00:02:51 systemd-journal
1 S     0   136     2  0  60 -20 -     0 rescue ?        00:00:00 iprt
1 S     0   217     2  0  60 -20 -     0 rescue ?        00:00:00 kpsmoused
1 S     0   220     2  0  80   0 -     0 bdi_wr ?        00:00:00 flush-8:0
1 S     0   238     2  0  60 -20 -     0 rescue ?        00:00:00 led_workqueue
1 S     0   239     2  0  60 -20 -     0 rescue ?        00:00:00 cfg80211
1 S     0   270     2  0  60 -20 -     0 rescue ?        00:00:00 ttm_swap
1 S     0   272     2  0  60 -20 -     0 rescue ?        00:00:00 hd-audio0
1 S     0   341     2  0  60 -20 -     0 rescue ?        00:00:00 hd-audio1
5 S     0   345     1  0  80   0 -  1231 fuse_d ?        00:00:00 mount.ntfs-3g
4 S     0   350     1  0  80   0 -  1902 epoll_ ?        00:00:00 syslog-ng
4 S     0   354     1  0  80   0 -  1202 hrtime ?        00:00:00 crond
4 S    81   355     1  0  80   0 -   834 epoll_ ?        00:00:00 dbus-daemon
4 S     0   356     1  0  80   0 -   834 epoll_ ?        00:00:00 systemd-logind
4 S     0   363     1  0  80   0 -   953 n_tty_ tty1     00:00:00 agetty
4 S     0   364     1  0  80   0 -   992 poll_s ?        00:00:00 kdm
4 S     0   391   364  0  80   0 - 20112 poll_s tty7     00:00:12 X
5 S     0   400   364  0  80   0 -  1367 sigsus ?        00:00:00 kdm
4 S  1000   412   400  0  80   0 -  1299 wait   ?        00:00:00 startkde
1 S  1000   423     1  0  80   0 -   906 poll_s ?        00:00:00 dbus-launch
1 S  1000   424     1  0  80   0 -  1027 epoll_ ?        00:00:00 dbus-daemon
1 S  1000   450     1  0  80   0 -  1184 poll_s ?        00:00:00 gpg-agent
1 S  1000   453     1  0  80   0 -  1054 poll_s ?        00:00:00 ssh-agent
5 S     0   468     1  0  80   0 -   508 pipe_w ?        00:00:00 start_kdeinit
1 S  1000   469     1  0  80   0 - 32316 poll_s ?        00:00:00 kdeinit4
1 S  1000   470   469  0  80   0 - 32821 poll_s ?        00:00:00 klauncher
1 S  1000   472     1  0  80   0 - 53818 poll_s ?        00:00:01 kded4
1 S  1000   479     1  0  80   0 - 36628 poll_s ?        00:00:00 kglobalaccel
1 S  1000   483     1  0  80   0 - 36498 poll_s ?        00:00:00 kactivitymanage
0 S     0   484     1  0  80   0 -  7424 poll_s ?        00:00:00 upowerd
0 S  1000   485   412  0  80   0 -   542 unix_s ?        00:00:00 kwrapper4
1 S  1000   486   469  0  80   0 - 38796 poll_s ?        00:00:00 ksmserver
4 S   102   492     1  0  80   0 - 15479 poll_s ?        00:00:00 polkitd
0 S     0   528     1  0  80   0 - 10763 poll_s ?        00:00:00 udisksd
0 S  1000   550   486  0  80   0 - 117798 poll_s ?       00:00:11 kwin
1 S  1000   579     1  0  80   0 - 37489 poll_s ?        00:00:02 knotify4
1 S  1000   583     1  0  80   0 - 117596 poll_s ?       00:00:10 plasma-desktop
1 S  1000   589     1  0  80   0 - 21540 poll_s ?        00:00:00 kuiserver
0 S  1000   598     1  0  80   0 - 11396 poll_s ?        00:00:00 akonadi_control
0 S  1000   600   598  0  80   0 - 51206 poll_s ?        00:00:00 akonadiserver
0 S  1000   603   600  0  80   0 - 62394 poll_s ?        00:00:00 mysqld
1 S  1000   636     1  0  80   0 - 77142 poll_s ?        00:00:01 krunner
1 S  1000   638   469  0  80   0 - 35216 poll_s ?        00:00:00 nepomukserver
0 S  1000   642   638  0  99  19 - 40628 poll_s ?        00:00:06 nepomukservices
1 S  1000   645     1  0  80   0 - 60325 poll_s ?        00:00:00 kmix
1 S  1000   647     1  0  80   0 - 21835 poll_s ?        00:00:00 nepomukcontroll
1 S  1000   650     1  0  80   0 - 27785 poll_s ?        00:00:02 yakuake
0 S  1000   662   598  0  80   0 - 21476 poll_s ?        00:00:00 akonadi_agent_l
0 S  1000   663   598  0  80   0 - 39524 poll_s ?        00:00:00 akonadi_archive
0 S  1000   666   598  0  80   0 - 21526 poll_s ?        00:00:00 akonadi_agent_l
0 S  1000   667   598  0  80   0 - 21475 poll_s ?        00:00:00 akonadi_agent_l
0 S  1000   668   598  0  80   0 - 23760 poll_s ?        00:00:00 akonadi_maildis
0 S  1000   669   598  0  80   0 - 39525 poll_s ?        00:00:00 akonadi_mailfil
1 S  1000   671     1  0  80   0 - 24361 poll_s ?        00:00:00 polkit-kde-auth
0 S  1000   672   598  0  80   0 - 24962 poll_s ?        00:00:00 akonadi_nepomuk
0 S  1000   679   650  0  80   0 -  1312 wait   pts/1    00:00:00 bash
1 S  1000   692     1  0  80   0 - 26347 poll_s ?        00:00:00 korgac
1 S  1000   711     1  0  80   0 - 36400 poll_s ?        00:00:00 klipper
0 S  1000   768   642  1  99  19 - 13394 futex_ ?        00:00:30 virtuoso-t
0 S  1000   779   638  0  99  19 - 27301 poll_s ?        00:00:00 nepomukservices
0 S  1000   780   638  0  99  19 - 30844 poll_s ?        00:00:11 nepomukservices
1 S     0   884     2  0  80   0 -     0 worker ?        00:00:00 kworker/1:0
5 S     0   992     1  0  80   0 -   605 poll_s ?        00:00:00 dhcpcd
1 S     0  1019     2  0  80   0 -     0 worker ?        00:00:00 kworker/0:1
1 S     0  1150     2  0  80   0 -     0 worker ?        00:00:00 kworker/0:0
4 S     0  1173   679  0  80   0 -  1267 poll_s pts/1    00:00:00 sudo
4 R     0  1174  1173  0  80   0 -  1156 -      pts/1    00:00:00 ps
[More info related to network]
Both computers use:
- everyday Mozilla Firefox and Thunderbird
- often KTorrent, KGet and Skype
- seldom DropBox


[Continue.. now the answer of the two previous posts]
 
Old 03-13-2013, 12:58 PM   #9
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
[..Continue]
I have read now the private message, because I was trying to avoid even go inside of one of the emails because maybe the system is compromised and my passwords also by some sort of keylogger.

So, the summary of the before posts regarding to your questions:
- computerA (which I think was compromised two-three weeks ago) - OpenSUSE 12.1 - updated probably 6 months ago (but if there is a auto-updating/upgrading, I don't know yet)
- computerB (which I connected to the LAN for the first time yesterday) - ArchLinux 3.7 - updated monthly aprox.

- None of them are servers, is desktop computers for normal use. Therefore, no plesk, cpanel (I needed to search to know what was xD)
- The processes are listed above.
- Network applications that runs in both system also written above.

The file of the before line of sh commands is really large. I will send you as a private message, and if you prefer I can try to post also here in several posts.

- I copy the /var/log files in a flash drive. I'm writting from computerA (remain connected), but computerB is isolated (really dangerous if an intruder destroys my files), but this morning I connected to internet as I posted before.. with weird behaviours.

I have installed logwatch in openSUSE (computerA) and I have run now the command, but I changed it a little because some options are not in --help, I mean: "--save"
This is what I executed:
sudo /usr/sbin/logwatch --detail High --service All --range All --archives --numeric --logfile logwatch.log >> logwatch.log
This is a 16000-lines file.

The output.log of the before sh line is 51000 lines.

I have taken also the output.log from the computerB. (20000 lines) - but I don't remember If I took it from root.

I will have a look to the CERT Intruder Detection Checklist in the next hours.


[Second post answer]
Yep, I also think that there are lot of garbage not really relevant (old viruses and cracks.. not used for a long time).

For these months computerA was the only computer connected to the router, that goes directly to the neighborhood line towards the DSLAM.
The computerB was connected to the router for the first time yesterday, when I was also worried to be "infected" this computer from the computerA.
The second time that I have connected ComputerB was this morning to make the tests that I posted above. Now it remains disconnected to avoid more problems.
It has been switched off just yesterday night, now I preserve switched on.

Markers = Bookmarks. I have asked the two users of the computerA and they know how to add/delete bookmarks, and they are pretty sure they didn't modify them.
Not only that, imagine that the markers that you usually check is the main webpages of your company, lets call X Company. Ok, the modification of the markers were the deletion of the X Company webpage links, and the add of the Z Company links, that in turn are "enemies,competency,opposite research groups" of the company X. It is because I thought was some sort of "threat".

I'm going to check the Mozilla support page now.

About the dhclient.conf, I can imagine that is because of the weird behaviour of yesterday in the computerB when I connected for the first time.
Ok, there is no /etc/dhcp/dhclient.conf but there is the /etc/dhcpcd.conf with this info:
Code:
hostname
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
option ntp_servers
option interface_mtu
require dhcp_server_identifier
nohook lookup-hostname
#noip4ll
noipv6rs
I write only the relevant lines (not commented)

As I said, this morning to can get the Internet connection (and yesterday when I executed sudo dhcpcd eth0 it worked properly), I needed to change:
"noipv4ll" to "#noipv4ll"
and i have added also "noipv6rs"

The thing that you say about the hostname is one thing that I checked yesterday when I saw the "unknown00245462846" and in /etc/hosts it was the normal value.
And because today I have switch on the computer, the value "localhost" was after @ in the prompt, so, the normal value.

I cannot check now what was yesterday in hostnames, because today it was restored. Now is "localhost".

I don't understand this line: " Do you have a request line with host-name in it? If so, this is probably what happened. "

But if i do: $ hostname
I get still:
unknown00245462846

So, somewhere must be stored.

Ok, so maybe this:
Quote:
Looking at the log files, you can see where your system obtained a DHCP lease. Immediatly following this part of your KDE system crashed, "konsole[1156]: segfault at 84 ip b73128d4" Note the pid number 1156. Pids in this range are missing in your process list, but are immediately followed by /usr/bin/X :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-WnL9Aa, which looks like a restart of X, fitting with the theory that changing hostname conflicts with the display manager. The pause you saw was likely this crashing, restarting, and trying to generate a core dump.
Is because it got freeze and like today with the problems in the whole KDE, no possibility to use terminal (just the Yakuake, not new terminals), not new applications like emacs, and appear that errors.
But still is really weird, never happened before since I am using ArchLinux (almost 7 months).


Really thank you for all. I am really surprised with your altruistic labour. Thanks again!

OK! I tried to attached the three files here and are larger than 256kB. So, I send an email to you with the zip file (710kB) with the three files inside.

Last edited by Zzipo; 03-13-2013 at 01:06 PM. Reason: Attachment
 
Old 03-13-2013, 12:58 PM   #10
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I responded to you via PM yesterday. In doing so, you received my email contact information. It may be better to send the files directly to me as a .zip file instead of trying to break them up into several 'code' sections. Alternatively, if you click the 'go advanced' button at the bottom of the text window, you will get an option to include an attachment. A third option is to use a 3rd party resource like dropbox to post the files to a common area.

Normally, I agree with posting information in the forums rather than taking it off line into private areas because I believe the data, analysis, and record thereof serve the greater good of everyone. In this case, I am also weighing this against the needs to help you identify the cause of your mystery.

Edit: I posted this while you were posting your last entry above - hence the overlap on the email statements.

Last edited by Noway2; 03-13-2013 at 12:59 PM.
 
1 members found this post helpful.
Old 03-13-2013, 06:31 PM   #11
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Here is some follow up for you.
The good news is that I can't see any indication of aberrant processes in the tree, extra copies of bash, or other signs of an active intrusion in your system. Your not running server processes and you have a firewall up. There are no indications of users other than userA, there are no indications of attempts to SU to root by this user, only kdesud, which is used for privileged execution. The network connections don't show any indication of unexpected active connections or processes listening for connections.

Now here is what I do see. Your Konsole is crashing a lot, which is strange. You also have A LOT of files in /tmp. It also looks like your getting pinged on port 6881, which is probably Azureus Bit Torrent, though this is being blocked by your firewall. Since Suse is RPM based you should be able to use the rpm verify (RPM -vA) to see if any system files have been changed compared to your package. I would pay particular attention to konsole since it is crashing and consider running an md5sum against the binary and then comparing to the package version (you should be able to locate it from the rpm.pbone.net. Next, I would run a thorough search of the home directory. In particular look for hidden files and executable files. Look for any files that have been modified or created since slightly before your suspected issue. You should be able to use the find command for this purpose with an example being in the CERT check list. Next, I would run the 'file' command on those temp files to see what type of file they are. In particular see if any of them are executable and also look for executable permissions. I would also double check and java applications and look cautiously at any firefox plug ins.

It also looks like you might have a mix of kde3 and kde4 as seen in the parameter list of the programs. I am wondering if you have some form of incompatibility that is causing crashes.

Finally, I would like to ask what was the nature of the changes to the markers? You mentioned it being in your language, but can you elaborate? This might be helpful to understand what transpired. Do you think it is possible that this is a form of corruption rather than malicious activity?
 
1 members found this post helpful.
Old 03-18-2013, 08:02 AM   #12
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Any follow up to this? As I mentioned above, there doesn't seem to be any indication of a root level intrusion, nor was your system in a position where such an event would have been likely. You still need to follow up with a thorough investigation of your user space.

Please let us know if you desire any help with this, assuming you are still interested.
 
Old 03-19-2013, 12:59 PM   #13
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Hello,

Sorry to answer so late, I read the other day but I was out this weekend.

I have read the CERT intrusion checklist, but is from 1997, so, I was searching for an updated one... with no results. So, I will do it now with that one.

I suppose now that all the info is about the computerA (openSUSE), and not with computerB (arch).

I have done:
sudo rpm -qVa
Code:
5S.T.....    /var/spool/atjobs/.SEQ
5S.T.....  c /etc/pulse/client.conf
5S.T.....  c /etc/xinetd.d/vnc
.......M.    /etc/cups
.......M.    /var/lock
.....U...    /var/cache/cups
5S.T.....  c /etc/sysconfig/SuSEfirewall2
5S.T.....  c /etc/default/passwd
5S.T.....  c /etc/postfix/main.cf
5S.T.....  c /etc/postfix/master.cf
.....U...    /var/spool/postfix
...T.....    /usr/lib/gconv/gconv-modules.cache
5S.T.....  c /etc/fonts/suse-font-dirs.conf
5S.T.....  c /usr/lib/jvm/java-1.6.0-openjdk-1.6.0/jre/lib/fontconfig.SuSE.properties
...T.....  c /etc/YaST2/control.xml
5..T.....  c /usr/share/kde4/config/kdm/kdmrc
"needed/missed"   /var/run/systemtap
5S.T.....  c /etc/sane.d/dll.conf
5S.T.....    /usr/share/sane/descriptions-external/epkowa.desc
5S.T.....  c /etc/maven/maven2-depmap.xml
5S.T.....  c /usr/share/fonts/encodings/encodings.dir
5S.T.....  c /usr/share/fonts/misc/fonts.dir
..L......  c /etc/pam.d/common-account
..L......  c /etc/pam.d/common-auth
..L......  c /etc/pam.d/common-password
..L......  c /etc/pam.d/common-session
......G..    /etc/cups/cupsd.conf.default
5S.T.....  c /etc/pam.d/login
...T.....  c /usr/share/fonts/100dpi/fonts.dir
5S.T.....  c /usr/share/fonts/Speedo/fonts.dir
5S.T.....  c /usr/share/fonts/Speedo/fonts.scale
5S.T.....  c /usr/share/fonts/Type1/fonts.dir
5S.T.....  c /usr/share/fonts/Type1/fonts.scale
...T.....  c /usr/share/fonts/cyrillic/fonts.dir
5S.T.....  c /usr/share/fonts/truetype/fonts.dir
5S.T.....  c /usr/share/fonts/truetype/fonts.scale
5S.T.....  c /usr/lib/libreoffice/share/config/javasettingsunopkginstall.xml
......G..    /usr/lib/kde4/libexec/kcheckpass
"Dependencies not satisfied for" nautilus-dropbox-1.4.0-1.fc10.i386:
        nautilus-extensions >= 2.16.0 "is needed for (install)" nautilus-dropbox-1.4.0-1.fc10.i386
5..T.....  c /etc/inittab
falta   /var/cache/libx11/compose/l4_024_313cb605_00280cc0
5S.T...M.    /usr/share/applications/defaults.list
5S.T.....  c /etc/splashy/config.xml
..L......    /usr/bin/netcat
..L......  d /usr/share/man/man1/netcat.1.gz
If I try to check the integrity differences between konsole binary installed and konsole from repositories, I have some problems.

I do:
Code:
userA@compA:~> md5sum /usr/bin/konsole
e49e909be3987f03c12afdfe54be363b  /usr/bin/konsole

userA@compA:~> rpm -q konsole
konsole-4.7.2-2.3.1.i586

userA@compA:~> zypper search -s konsole
The repository 'Updates for openSUSE 12.1 12.1-1.4' is not updated. You can execute 'zypper refresh' as superuser (root) to update it.
Error in the downloading (curl) of 'http://opensuse-guide.org/repo/12.1/repodata/repomd.xml':
Error code: User abort
Error message: connect() timed out!

¿Cancel, Retry, Ignore? [c/r/i/?] (c):
I try to access from the Web to that file, and it doesn't load. I think because it is old.
If I do "zypper refresh" probably I will replace the repositories, and I will avoid the previous versions, but I don't know really, so I didn't execute that.

I don't know how to check the m5sum of the same version of konsole that I have installed in my computer.
So, I have searched on the Web, found the link that you say, and then download one of the ftp links... because I don't see any md5 checksum there.
http://rpm.pbone.net/index.php3/stat....i586.rpm.html
I download the file, open the rpm, and then, extract and do the md5sum with the file "konsole". (I have open the rpm with Ark, then as Tar file, and konsole is inside of the usr - bin - folder hierarchy of the file.)
Code:
userA@compA:~/Downloads> md5sum konsole
e49e909be3987f03c12afdfe54be363b  konsole
So, we can see that the numbers are the same. I don't know how could be the easy way to do this process to check these two things.

I see in "updates of openSUSE" several updates, some of them in the category "Security". But well, I am planning to format this system when I finish with this.

I will do it now the find command in home folder.

About the markers:

I'm pretty sure (100%) the users didn't modify that. And if is in some weird/error manipulation of the user interface of Firefox, is not so easy. At least "Bookmarks - Toolbar - FolderX - Right Button - Delete" twice times, and then add another two.
One or two clicks in a random way, could provoque something, but no so many things, movements.

What happen really [context].
Imagine that there are two companies, A and B. They are "competency" in research programs, some sort of "enemies". (There are also other companies that work in the same area).
users of computerA work for company A. They usually go to the website of the company A and another websites related to their job, that are stored in Mozilla Firefox bookmarks, inside a folder.
One day, users of the computerA see that two of the whole group of links in the same folder (website of the company A and another more related to their job) are modified with the website of the company B and another website related to the job.
the user thinks that it is a joke of the userB, deletes both links and adds again the original links in that folder.
The website of the company A and the other website original related to their job work that day normally.

sudo find / -user root -perm -4000 -print
Code:
/opt/kde3/bin/kpac_dhcp_helper
/opt/kde3/bin/start_kdeinit
/lib/dbus-1/dbus-daemon-launch-helper
/sbin/mount.nfs
/sbin/unix_chkpwd
/sbin/unix2_chkpwd
/bin/mount
/bin/su
/bin/eject
/bin/ping
/bin/ping6
/bin/umount
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib/pt_chown
/usr/lib/kde4/libexec/kcheckpass
/usr/lib/kde4/libexec/start_kdeinit
/usr/lib/chrome_sandbox
/usr/sbin/zypp-refresh-wrapper
/usr/bin/chage
/usr/bin/chfn
/usr/bin/fusermount
/usr/bin/at
/usr/bin/passwd
/usr/bin/expiry
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/crontab
find: `/home/userA/.gvfs': Denegate permission
find: warning: not following the symbolic link `/windows/ussr/Program Files'
find: warning: not following the symbolic link `/windows/ussr/Users/Default/AppData/Local/Application Data'
find: warning: not following the symbolic link `/windows/ussr/Users/Default/Application Data'
[several like the three above from the /windows location]
find: `/proc/8237/task/8237/fd/4': File or directory doesn't exist
find: `/proc/8237/task/8237/fdinfo/4': File or directory doesn't exist
find: `/proc/8237/fd/4': File or directory doesn't exist
find: `/proc/8237/fdinfo/4': File or directory doesn't exist
sudo find / -group kmem -perm -2000 -print
Code:
find: `/home/userA/.gvfs': Denegate permission
find: warning: not following the symbolic link `/windows/ussr/Program Files'
find: warning: not following the symbolic link `/windows/ussr/Documents and Settings'
find: warning: not following the symbolic link `/windows/ussr/Program Files/Common Files'
[several like the three above]
find: `/proc/8481/task/8481/fd/4': File or directory doesn't exist
find: `/proc/8481/task/8481/fdinfo/4': File or directory doesn't exist
find: `/proc/8481/fd/4': File or directory doesn't exist
find: `/proc/8481/fdinfo/4': File or directory doesn't exist
Point 3 of the checklist:
- So, should I trust on the md5sum program? If an intruder can modify sum tools, maybe can modify also md5sum program, and when I am now checking the sums they are incorrect.
- It says to check "login, su, telnet, netstat, ifconfig, ls, find, du, df, libc, sync,any binaries referenced in /etc/inetd.conf", but I have to do the same process as before:
Code:
userA@compA:~> whereis ifconfig
ifconfig: /sbin/ifconfig /usr/share/man/man8/ifconfig.8.gz
userA@compA:~> md5sum /sbin/ifconfig 
69b021dfe3c23e072e63763a1a299a1a  /sbin/ifconfig
And then search for that package on the Web, download, extract and do the checksum...
Any other easier/faster way?
- inetd.conf doesn't exist. But I have found xinetd.conf, but it doesn't show any binary program:
Code:
#
# xinetd.conf
#
# Copyright (c) 1998-2001 SuSE GmbH Nuernberg, Germany.
# Copyright (c) 2002 SuSE Linux AG, Nuernberg, Germany.
#

defaults
{
        log_type        = FILE /var/log/xinetd.log 
        log_on_success  = HOST EXIT DURATION
        log_on_failure  = HOST ATTEMPT
#        only_from       = localhost
        instances       = 30
        cps             = 50 10

#
# The specification of an interface is interesting, if we are on a firewall.
# For example, if you only want to provide services from an internal
# network interface, you may specify your internal interfaces IP-Address.
#
#       interface       = 127.0.0.1

}
Point 4: I haven't done that.

I will continue in a while.

Thank you for all, and sorry for the delay.

Last edited by Zzipo; 03-19-2013 at 02:05 PM.
 
Old 03-19-2013, 01:30 PM   #14
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Thank you for the follow up. I will say that overall, in terms of handling a security incident investigation you've done remarkably well!

A few things in response to your latest post.

There are two ways to verify system files. The first, and easier way is via the RPM tool, which you used first. Sometimes this doesn't always pan out, as you discovered with Konsole and you used the best procedure of finding a known version of the file and then manually compared it's footprint. In your case, console looks clean.

This brings us to to the list of file differences. Files in /var tend to change and having them different than the original package version is not really surprising. Sometimes they are worth checking out. In your case, you have modifications to the AT jobs which are like cron tasks, in that one can say "at time X do something" What's more is that you have a hidden file, as shown by the . infront of the file name. I would investigate this file carefully as it may be a clue.

Other files, such as those in /etc, like those marked with a 'c' are configuration files. These too are likely to change relative to the package defaults. You might want to take a look through the list and see if any of them strike you as unexpected. Pay particular attention to the pam.d changes as these involve the user authentication system.

Another one that jumps out at me is /usr/lib/kde4/libexec/kcheckpass, which again is associated with user logins.

The one that really bugs me, is netcat. Netcat can be used to redirect network connections. The system binary file and the manual page for it have both been replaced with links. You should definitely investigate this!

Thank you for the explanation as to the nature of the change. It certainly puts things into perspective and I agree with you it doesn't look accidental, however, it also isn't something that I think would be characteristic of a random web intruder either.

The above is a list of things for you to look into. Putting everything together, I am suspicious of a possible attempt at espionage of some form, possibly involving user credentials or information gathering, and only an investigation into the nature of these changes will tell you.

I do highly recommend that you continue this process before you reformat and wipe the system. If you find that you do have something of this nature going on, a rewipe won't fully address the problem AND you will want / need the evidence to prove your point.
 
1 members found this post helpful.
Old 03-19-2013, 05:15 PM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
...additionally I would like to point out that there has been a lot of talk about "markers" but no actual data has been shown: depending on the book mark format there may be at least one date attached to a bookmark. Also backups aren't mentioned: if you make daily backups then it would be easier to pinpoint the time of change and what actually changed. If daily backups include the whole users browser directory backup this may also include user browsing history which may or may not reveal more clues.

*Personally I would not waste time trying to guess, speculate or formulate hypotheses. Entertaining as that may be, letting the facts (if any) speak for themselves would be "better" IMHO.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
System Compromised. bullebob Linux - Security 13 11-07-2011 08:38 AM
Has my system been compromised? Palula Linux - Security 2 02-03-2006 09:09 AM
Afraid I Have Been Compromised robpom Linux - Security 12 03-31-2005 12:50 AM


All times are GMT -5. The time now is 05:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration